Description
Hi all,
These bugs were found with AFLSmart, an input-structure aware extension of AFL. Thanks also to Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu.
These bugs were found on Ubuntu 16.04 64-bit -- Jasper revision 573a6e4 (HEAD)
To reproduce:
jasper --input <bug_triggering_file>.jp2 --input-format jp2 --output /dev/null --output-format bmp
Bug triggering files are attached.
Bug-1: Heap Buffer Overflow - Read of size 8 (jasper_bug_1.jp2)
ASAN says:
==58581==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e9c8 at pc 0x7f888adebb63 bp 0x7ffefa1c9e70 sp 0x7ffefa1c9e60
READ of size 8 at 0x60200000e9c8 thread T0
#0 0x7f888adebb62 in jas_image_depalettize /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:994
#1 0x7f888ae0e0ee in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:375
#2 0x7f888ade799c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#3 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#4 0x7f888aa0582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x401948 in _start (/home/ubuntu/aflsmart-experiments/jasper-asan/afl-build/src/appl/jasper+0x401948)
0x60200000e9c8 is located 8 bytes to the left of 1-byte region [0x60200000e9d0,0x60200000e9d1)
allocated by thread T0 here:
#0 0x7f888b1adec0 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6ec0)
#1 0x7f888adf17d0 in jas_malloc /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_malloc.c:241
#2 0x7f888adf19df in jas_alloc2 /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_malloc.c:274
#3 0x7f888ae0dd61 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:370
#4 0x7f888ade799c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#5 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#6 0x7f888aa0582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:994 in jas_image_depalettize
Bug-2: Access Violation (jasper_bug_2.jp2)
ASAN says:
ASAN:DEADLYSIGNAL
==183299==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7f2b29efed79 bp 0x7ffd5330cb50 sp 0x7ffd5330cac0 T0)
#0 0x7f2b29efed78 in jas_image_readcmpt /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:505
#1 0x7f2b29f1b21e in bmp_putdata /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/bmp/bmp_enc.c:324
#2 0x7f2b29f19f71 in bmp_encode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/bmp/bmp_enc.c:217
#3 0x7f2b29efeb5c in jas_image_encode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:469
#4 0x4024b4 in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:277
#5 0x7f2b29b1c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x401948 in _start (/home/ubuntu/aflsmart-experiments/jasper-asan/afl-build/src/appl/jasper+0x401948)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:505 in jas_image_readcmpt
Bug-3: Heap Buffer Overflow - Write of size 1 (jasper_bug_3.jp2)
ASAN says:
=================================================================
==58646==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000decf at pc 0x7f1939ddb26b bp 0x7ffe58ab9ee0 sp 0x7ffe58ab9ed0
WRITE of size 1 at 0x60200000decf thread T0
#0 0x7f1939ddb26a in jas_icctxtdesc_input /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:1107
#1 0x7f1939dd6523 in jas_iccprof_load /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:340
#2 0x7f1939de21f3 in jas_iccprof_createfrombuf /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:1727
#3 0x7f1939e0a213 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:298
#4 0x7f1939de499c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#5 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#6 0x7f1939a0282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x401948 in _start (/home/ubuntu/aflsmart-experiments/jasper-asan/afl-build/src/appl/jasper+0x401948)
0x60200000decf is located 1 bytes to the left of 1-byte region [0x60200000ded0,0x60200000ded1)
allocated by thread T0 here:
#0 0x7f193a1aaec0 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6ec0)
#1 0x7f1939dee7d0 in jas_malloc /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_malloc.c:241
#2 0x7f1939ddb0ff in jas_icctxtdesc_input /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:1102
#3 0x7f1939dd6523 in jas_iccprof_load /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:340
#4 0x7f1939de21f3 in jas_iccprof_createfrombuf /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:1727
#5 0x7f1939e0a213 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:298
#6 0x7f1939de499c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#7 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#8 0x7f1939a0282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:1107 in jas_icctxtdesc_input
Bug-4: Null pointer dereference (jasper_bug_4.jp2)
ASAN says:
warning: trailing garbage in marker segment (3 bytes)
warning: trailing garbage in marker segment (32 bytes)
warning: not enough tile data (109 bytes)
warning: number of components mismatch
warning: component data type mismatch
ASAN:DEADLYSIGNAL
==13140==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb64d6cc802 bp 0x7ffce5a16ee0 sp 0x7ffce5a16d40 T0)
#0 0x7fb64d6cc801 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:417
#1 0x7fb64d6a599c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#2 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#3 0x7fb64d2c382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x401948 in _start (/home/ubuntu/aflsmart-experiments/jasper-asan/afl-build/src/appl/jasper+0x401948)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:417 in jp2_decode
Bug-5: Heap Buffer Overflow -- Read of size 8 (jasper_bug_5.jp2)
ASAN says:
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
warning: component data type mismatch
==152291==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ed70 at pc 0x7fc92f7873c3 bp 0x7ffe0ef9d3c0 sp 0x7ffe0ef9d3b0
READ of size 8 at 0x60200000ed70 thread T0
#0 0x7fc92f7873c2 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:405
#1 0x7fc92f76099c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#2 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#3 0x7fc92f37e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x401948 in _start (/home/ubuntu/aflsmart-experiments/jasper-asan/afl-build/src/appl/jasper+0x401948)
0x60200000ed71 is located 0 bytes to the right of 1-byte region [0x60200000ed70,0x60200000ed71)
allocated by thread T0 here:
#0 0x7fc92fb26ec0 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6ec0)
#1 0x7fc92f76a7d0 in jas_malloc /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_malloc.c:241
#2 0x7fc92f76a9df in jas_alloc2 /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_malloc.c:274
#3 0x7fc92f78090d in jp2_cdef_getdata /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_cod.c:479
#4 0x7fc92f77f93c in jp2_box_get /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_cod.c:312
#5 0x7fc92f785495 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:159
#6 0x7fc92f76099c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#7 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#8 0x7fc92f37e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:405 in jp2_decode
Bug-6: Assertion Failure (japer_bug_6.jp2)
jasper: /home/ubuntu/aflsmart-experiments/jasper/src/libjasper/jpc/jpc_math.c:94: jpc_floorlog2: Assertion `x > 0' failed.
==16546==
==16546== Process terminating with default action of signal 6 (SIGABRT)
==16546== at 0x523D428: raise (raise.c:54)
==16546== by 0x523F029: abort (abort.c:89)
==16546== by 0x5235BD6: __assert_fail_base (assert.c:92)
==16546== by 0x5235C81: __assert_fail (assert.c:101)
==16546== by 0x4F441EE: jpc_floorlog2 (jpc_math.c:94)
==16546== by 0x4FADB17: jpc_dec_decodepkt (jpc_t2dec.c:314)
==16546== by 0x4FADB17: jpc_dec_decodepkts (jpc_t2dec.c:454)
==16546== by 0x4F21745: jpc_dec_process_sod (jpc_dec.c:627)
==16546== by 0x4F1C938: jpc_dec_decode (jpc_dec.c:424)
==16546== by 0x4F1C938: jpc_decode (jpc_dec.c:261)
==16546== by 0x4EF832A: jp2_decode (jp2_dec.c:218)
==16546== by 0x4EA95B3: jas_image_decode (jas_image.c:442)
==16546== by 0x401C34: main (jasper.c:236)
Bug-7: SIGABRT - Aborted (jasper_bug_7.jp2)
==28280== Process terminating with default action of signal 6 (SIGABRT)
==28280== at 0x523D428: raise (raise.c:54)
==28280== by 0x523F029: abort (abort.c:89)
==28280== by 0x4F262E8: jpc_dec_process_sot (jpc_dec.c:488)
==28280== by 0x4F1C938: jpc_dec_decode (jpc_dec.c:424)
==28280== by 0x4F1C938: jpc_decode (jpc_dec.c:261)
==28280== by 0x4EF832A: jp2_decode (jp2_dec.c:218)
==28280== by 0x4EA95B3: jas_image_decode (jas_image.c:442)
==28280== by 0x401C34: main (jasper.c:236)
Bug-8: Assertion failure (jasper_bug_8.jp2)
Error message:
warning: not enough tile data (394 bytes)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
ICC Profile CS 47524159
jasper: /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:308: jp2_decode: Assertion `dec->image->cmprof_' failed.
Aborted
Stack trace:
==33135== Process terminating with default action of signal 6 (SIGABRT)
==33135== at 0x523D428: raise (raise.c:54)
==33135== by 0x523F029: abort (abort.c:89)
==33135== by 0x5235BD6: __assert_fail_base (assert.c:92)
==33135== by 0x5235C81: __assert_fail (assert.c:101)
==33135== by 0x4EFC8E6: jp2_decode (jp2_dec.c:308)
==33135== by 0x4EA95B3: jas_image_decode (jas_image.c:442)
==33135== by 0x401C34: main (jasper.c:236)
Bug-9: Assertion failure (japser_bug_9.jp2)
Valgrind says:
warning: trailing garbage in marker segment (30 bytes)
warning: ignoring unknown marker segment (0xff68)
type = 0xff68 (UNKNOWN); len = 37;00 01 43 ff 5f 61 74 80 00 00 00 79 28 00 10 65 88 4a 50 45 47 20 5e 65 72 73 51 6f 6e 20 32 2e 33 2e 30 jasper: /home/ubuntu/aflsmart-experiments/jasper/src/libjasper/jpc/jpc_dec.c:1703: calcstepsizes: Assertion `!((expn + (numrlvls - 1) - (numrlvls - 1 - ((bandno > 0) ? ((bandno + 2) / 3) : (0)))) & (~0x1f))' failed.
==109382==
==109382== Process terminating with default action of signal 6 (SIGABRT)
==109382== at 0x523D428: raise (raise.c:54)
==109382== by 0x523F029: abort (abort.c:89)
==109382== by 0x5235BD6: __assert_fail_base (assert.c:92)
==109382== by 0x5235C81: __assert_fail (assert.c:101)
==109382== by 0x4F24B2A: calcstepsizes (jpc_dec.c:1702)
==109382== by 0x4F24B2A: jpc_dec_cp_prepare (jpc_dec.c:1721)
==109382== by 0x4F24B2A: jpc_dec_process_sod (jpc_dec.c:592)
==109382== by 0x4F1C938: jpc_dec_decode (jpc_dec.c:424)
==109382== by 0x4F1C938: jpc_decode (jpc_dec.c:261)
==109382== by 0x4EF832A: jp2_decode (jp2_dec.c:218)
==109382== by 0x4EA95B3: jas_image_decode (jas_image.c:442)
==109382== by 0x401C34: main (jasper.c:236)
Bug-10: Assertion Failure (jasper_bug_10.jp2)
warning: ignoring unknown marker segment (0xff68)
type = 0xff68 (UNKNOWN); len = 37;00 01 43 72 65 61 74 10 64 20 62 79 20 00 10 65 6e 4a 50 45 47 20 5e 65 72 73 69 6f 6e 20 32 2e 33 2e 30 warning: not enough tile data (5 bytes)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
jasper: /home/ubuntu/aflsmart-experiments/jasper/src/libjasper/jpc/jpc_dec.c:1883: jpc_dequantize: Assertion `absstepsize >= 0' failed.
==135670==
==135670== Process terminating with default action of signal 6 (SIGABRT)
==135670== at 0x523D428: raise (raise.c:54)
==135670== by 0x523F029: abort (abort.c:89)
==135670== by 0x5235BD6: __assert_fail_base (assert.c:92)
==135670== by 0x5235C81: __assert_fail (assert.c:101)
==135670== by 0x4F12FBE: jpc_dequantize (jpc_dec.c:1883)
==135670== by 0x4F12FBE: jpc_dec_tiledecode (jpc_dec.c:1107)
==135670== by 0x4F22B34: jpc_dec_process_sod (jpc_dec.c:657)
==135670== by 0x4F1C938: jpc_dec_decode (jpc_dec.c:424)
==135670== by 0x4F1C938: jpc_decode (jpc_dec.c:261)
==135670== by 0x4EF832A: jp2_decode (jp2_dec.c:218)
==135670== by 0x4EA95B3: jas_image_decode (jas_image.c:442)
==135670== by 0x401C34: main (jasper.c:236)
Regards,
Thuan