Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-buffer-overflow in jp2_enc.c:309 at jasper version-2.0.14 and master branch #191

Closed
wuk0n9 opened this issue Dec 28, 2018 · 3 comments
Closed

Comments

@wuk0n9
Copy link

@wuk0n9 wuk0n9 commented Dec 28, 2018

A crafted input will lead to heap buffer overflow failed in jp2_enc.c:309 at jasper version-2.0.14 and master branch

Triggered by
./jasper --output /dev/null --output-format jp2 --input ./crashes/poc

Poc
poc.zip

The ASAN information is as follows:

================================================
==5337==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf63004b8 at pc 0xf796cf76 bp 0xfff37868 sp 0xfff37858
READ of size 4 at 0xf63004b8 thread T0
    #0 0xf796cf75 in jp2_encode /work/jasper-master/src/libjasper/jp2/jp2_enc.c:309
    #1 0xf793ee12 in jas_image_encode /work/jasper-master/src/libjasper/base/jas_image.c:469
    #2 0x8049e3b in main /work/jasper-master/src/appl/jasper.c:277
    #3 0xf7778636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #4 0x80491a0  (/work/jasper-master/xbuild/src/appl/jasper+0x80491a0)

0xf63004b8 is located 0 bytes to the right of 8-byte region [0xf63004b0,0xf63004b8)
allocated by thread T0 here:
    #0 0xf7ae7dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0xf7949cca in jas_malloc /work/jasper-master/src/libjasper/base/jas_malloc.c:241
    #2 0xf7949e68 in jas_alloc2 /work/jasper-master/src/libjasper/base/jas_malloc.c:274
    #3 0xf793ca2f in jas_image_create /work/jasper-master/src/libjasper/base/jas_image.c:153
    #4 0xf797cead in jpc_dec_process_sot /work/jasper-master/src/libjasper/jpc/jpc_dec.c:502
    #5 0xf797c863 in jpc_dec_decode /work/jasper-master/src/libjasper/jpc/jpc_dec.c:424
    #6 0xf797bca1 in jpc_decode /work/jasper-master/src/libjasper/jpc/jpc_dec.c:261
    #7 0xf796770d in jp2_decode /work/jasper-master/src/libjasper/jp2/jp2_dec.c:218
    #8 0xf793ec40 in jas_image_decode /work/jasper-master/src/libjasper/base/jas_image.c:442
    #9 0x8049aa3 in main /work/jasper-master/src/appl/jasper.c:236
    #10 0xf7778636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow /work/jasper-master/src/libjasper/jp2/jp2_enc.c:309 jp2_encode
Shadow bytes around the buggy address:
  0x3ec60040: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x3ec60050: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x3ec60060: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x3ec60070: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x3ec60080: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
=>0x3ec60090: fa fa fd fd fa fa 00[fa]fa fa fd fd fa fa fd fa
  0x3ec600a0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
  0x3ec600b0: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x3ec600c0: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x3ec600d0: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x3ec600e0: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==5337==ABORTING

FoundBy: wu.an.1900@gmail.com

@apoleon
Copy link

@apoleon apoleon commented Jan 3, 2019

After applying my patches I cannot reproduce this issue anymore. See

#182

Loading

@thoger
Copy link
Contributor

@thoger thoger commented May 5, 2020

This problem is in the following code:

https://github.com/mdadams/jasper/blob/version-2.0.16/src/libjasper/jp2/jp2_enc.c#L294-L312

That code accesses image->cmpts_[] array (via the jas_image_cmpttype() macro) at indices 0, 1, and 2 even in cases when that array is smaller (when image->numcmpts_ is less than 3, it's 2 for this reproducer).

I'm not sure if image->numcmpts_ < 3 should always be considered as error for JAS_CLRSPC_FAM_RGB and JAS_CLRSPC_FAM_YCBCR color spaces, or if processing should continue by requiring CDEF. I.e. if it's sufficient to change those checks to:

        if (jas_image_numcmpts(image) >= 3 &&
          jas_image_cmpttype(image, 0) ==
          JAS_IMAGE_CT_COLOR(JAS_CLRSPC_CHANIND_RGB_R) &&
          ...

Loading

@MaxKellermann
Copy link
Contributor

@MaxKellermann MaxKellermann commented Jun 28, 2020

Since this project has been mostly dead for several years, we created a fork which aims to fix all vulnerabilities (of which there are many).
This bug will be fixed by jasper-maint/jasper#38 (merge pending)

Loading

@jubalh jubalh closed this in 03db7c8 Jul 28, 2020
jubalh added a commit to jubalh/buildroot that referenced this issue Jul 28, 2020
Changes:
* Fix CVE-2018-9154
  jasper-software/jasper#215
  jasper-software/jasper#166
  jasper-software/jasper#175
  jasper-maint/jasper#8

* Fix CVE-2018-19541
  jasper-software/jasper#199
  jasper-maint/jasper#6

* Fix CVE-2016-9399, CVE-2017-13751
  jasper-maint/jasper#1

* Fix CVE-2018-19540
  jasper-software/jasper#182
  jasper-maint/jasper#22

* Fix CVE-2018-9055
  jasper-maint/jasper#9

* Fix CVE-2017-13748
  jasper-software/jasper#168

* Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505
  jasper-maint/jasper#3
  jasper-maint/jasper#4
  jasper-maint/jasper#5
  jasper-software/jasper#88
  jasper-software/jasper#89
  jasper-software/jasper#90

* Fix CVE-2018-9252
  jasper-maint/jasper#16

* Fix CVE-2018-19139
  jasper-maint/jasper#14

* Fix CVE-2018-19543, CVE-2017-9782
  jasper-maint/jasper#13
  jasper-maint/jasper#18
  jasper-software/jasper#140
  jasper-software/jasper#182

* Fix CVE-2018-20570
  jasper-maint/jasper#11
  jasper-software/jasper#191

* Fix CVE-2018-20622
  jasper-maint/jasper#12
  jasper-software/jasper#193

* Fix CVE-2016-9398
  jasper-maint/jasper#10

* Fix CVE-2017-14132
  jasper-maint/jasper#17

* Fix CVE-2017-5499
  jasper-maint/jasper#2
  jasper-software/jasper#63

* Fix CVE-2018-18873
  jasper-maint/jasper#15
  jasper-software/jasper#184

* Fix jasper-software/jasper#207

* Fix jasper-software/jasper#194 part 1

* Fix CVE-2017-13750
  jasper-software/jasper#165
  jasper-software/jasper#174

* New option -DJAS_ENABLE_HIDDEN=true to not export internal symbols in the public symbol table

* Fix various memory leaks

* Plenty of code cleanups, and performance improvements
buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue Aug 3, 2020
Fixes the following security issues:
* Fix CVE-2018-9154
  jasper-software/jasper#215
  jasper-software/jasper#166
  jasper-software/jasper#175
  jasper-maint/jasper#8

* Fix CVE-2018-19541
  jasper-software/jasper#199
  jasper-maint/jasper#6

* Fix CVE-2016-9399, CVE-2017-13751
  jasper-maint/jasper#1

* Fix CVE-2018-19540
  jasper-software/jasper#182
  jasper-maint/jasper#22

* Fix CVE-2018-9055
  jasper-maint/jasper#9

* Fix CVE-2017-13748
  jasper-software/jasper#168

* Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505
  jasper-maint/jasper#3
  jasper-maint/jasper#4
  jasper-maint/jasper#5
  jasper-software/jasper#88
  jasper-software/jasper#89
  jasper-software/jasper#90

* Fix CVE-2018-9252
  jasper-maint/jasper#16

* Fix CVE-2018-19139
  jasper-maint/jasper#14

* Fix CVE-2018-19543, CVE-2017-9782
  jasper-maint/jasper#13
  jasper-maint/jasper#18
  jasper-software/jasper#140
  jasper-software/jasper#182

* Fix CVE-2018-20570
  jasper-maint/jasper#11
  jasper-software/jasper#191

* Fix CVE-2018-20622
  jasper-maint/jasper#12
  jasper-software/jasper#193

* Fix CVE-2016-9398
  jasper-maint/jasper#10

* Fix CVE-2017-14132
  jasper-maint/jasper#17

* Fix CVE-2017-5499
  jasper-maint/jasper#2
  jasper-software/jasper#63

* Fix CVE-2018-18873
  jasper-maint/jasper#15
  jasper-software/jasper#184

* Fix CVE-2017-13750
  jasper-software/jasper#165
  jasper-software/jasper#174

Furthermore, drop now upstreamed patches and change to the new
jasper-software upstream location.

Signed-off-by: Michael Vetter <jubalh@iodoru.org>
[Peter: reword for security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
woodsts pushed a commit to woodsts/buildroot that referenced this issue Aug 18, 2020
Fixes the following security issues:
* Fix CVE-2018-9154
  jasper-software/jasper#215
  jasper-software/jasper#166
  jasper-software/jasper#175
  jasper-maint/jasper#8

* Fix CVE-2018-19541
  jasper-software/jasper#199
  jasper-maint/jasper#6

* Fix CVE-2016-9399, CVE-2017-13751
  jasper-maint/jasper#1

* Fix CVE-2018-19540
  jasper-software/jasper#182
  jasper-maint/jasper#22

* Fix CVE-2018-9055
  jasper-maint/jasper#9

* Fix CVE-2017-13748
  jasper-software/jasper#168

* Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505
  jasper-maint/jasper#3
  jasper-maint/jasper#4
  jasper-maint/jasper#5
  jasper-software/jasper#88
  jasper-software/jasper#89
  jasper-software/jasper#90

* Fix CVE-2018-9252
  jasper-maint/jasper#16

* Fix CVE-2018-19139
  jasper-maint/jasper#14

* Fix CVE-2018-19543, CVE-2017-9782
  jasper-maint/jasper#13
  jasper-maint/jasper#18
  jasper-software/jasper#140
  jasper-software/jasper#182

* Fix CVE-2018-20570
  jasper-maint/jasper#11
  jasper-software/jasper#191

* Fix CVE-2018-20622
  jasper-maint/jasper#12
  jasper-software/jasper#193

* Fix CVE-2016-9398
  jasper-maint/jasper#10

* Fix CVE-2017-14132
  jasper-maint/jasper#17

* Fix CVE-2017-5499
  jasper-maint/jasper#2
  jasper-software/jasper#63

* Fix CVE-2018-18873
  jasper-maint/jasper#15
  jasper-software/jasper#184

* Fix CVE-2017-13750
  jasper-software/jasper#165
  jasper-software/jasper#174

Furthermore, drop now upstreamed patches and change to the new
jasper-software upstream location.

Signed-off-by: Michael Vetter <jubalh@iodoru.org>
[Peter: reword for security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d0f7b24)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
woodsts pushed a commit to woodsts/buildroot that referenced this issue Aug 18, 2020
Fixes the following security issues:
* Fix CVE-2018-9154
  jasper-software/jasper#215
  jasper-software/jasper#166
  jasper-software/jasper#175
  jasper-maint/jasper#8

* Fix CVE-2018-19541
  jasper-software/jasper#199
  jasper-maint/jasper#6

* Fix CVE-2016-9399, CVE-2017-13751
  jasper-maint/jasper#1

* Fix CVE-2018-19540
  jasper-software/jasper#182
  jasper-maint/jasper#22

* Fix CVE-2018-9055
  jasper-maint/jasper#9

* Fix CVE-2017-13748
  jasper-software/jasper#168

* Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505
  jasper-maint/jasper#3
  jasper-maint/jasper#4
  jasper-maint/jasper#5
  jasper-software/jasper#88
  jasper-software/jasper#89
  jasper-software/jasper#90

* Fix CVE-2018-9252
  jasper-maint/jasper#16

* Fix CVE-2018-19139
  jasper-maint/jasper#14

* Fix CVE-2018-19543, CVE-2017-9782
  jasper-maint/jasper#13
  jasper-maint/jasper#18
  jasper-software/jasper#140
  jasper-software/jasper#182

* Fix CVE-2018-20570
  jasper-maint/jasper#11
  jasper-software/jasper#191

* Fix CVE-2018-20622
  jasper-maint/jasper#12
  jasper-software/jasper#193

* Fix CVE-2016-9398
  jasper-maint/jasper#10

* Fix CVE-2017-14132
  jasper-maint/jasper#17

* Fix CVE-2017-5499
  jasper-maint/jasper#2
  jasper-software/jasper#63

* Fix CVE-2018-18873
  jasper-maint/jasper#15
  jasper-software/jasper#184

* Fix CVE-2017-13750
  jasper-software/jasper#165
  jasper-software/jasper#174

Furthermore, drop now upstreamed patches and change to the new
jasper-software upstream location.

Signed-off-by: Michael Vetter <jubalh@iodoru.org>
[Peter: reword for security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d0f7b24)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants