Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bugs found by our bug scanner #194

Closed
lqiulin opened this issue Feb 18, 2019 · 4 comments
Closed

bugs found by our bug scanner #194

lqiulin opened this issue Feb 18, 2019 · 4 comments

Comments

@lqiulin
Copy link

lqiulin commented Feb 18, 2019

Hi all,

Our bug scanner has reported some bugs.
Bug triggering files are attached.

Bug-1:div/mod-zero

  1. in function cp_create,jpc_enc.c#749
    if (jpc_fixtodbl(tcp->ilyrrates[lyrno]) > ((double) cp->totalsize)/ cp->rawsize) { jas_eprintf("warning: intermediate layer rates must be less than overall rate\n"); goto error; }
    Divisor: rawsize
    Result: Could be 0, Please Check.

  2. in function jjpc_dec_tileinit, jpc_dec.c#736~#738
    if (!(tcomp->data = jas_seq2d_create(JPC_CEILDIV(tile->xstart, cmpt->hstep), JPC_CEILDIV(tile->ystart, cmpt->vstep), JPC_CEILDIV(tile->xend, cmpt->hstep), JPC_CEILDIV(tile->yend, cmpt->vstep)))) { return -1; }
    Divisor: cmpt->hstep, cmpt->vstep
    Result: Could be 0, Please Check.

3.in function jpc_dec_process_siz, jpc_dec.c#1270~#1273,#1339~#1342
if (!(tcomp->data = jas_seq2d_create(JPC_CEILDIV(tile->xstart, cmpt->hstep), JPC_CEILDIV(tile->ystart, cmpt->vstep), JPC_CEILDIV(tile->xend, cmpt->hstep), JPC_CEILDIV(tile->yend, cmpt->vstep)))) { return -1; }
cmpt->width = JPC_CEILDIV(dec->xend, cmpt->hstep) - JPC_CEILDIV(dec->xstart, cmpt->hstep); cmpt->height = JPC_CEILDIV(dec->yend, cmpt->vstep) - JPC_CEILDIV(dec->ystart, cmpt->vstep);
tcomp->xstart = JPC_CEILDIV(tile->xstart, cmpt->hstep); tcomp->ystart = JPC_CEILDIV(tile->ystart, cmpt->vstep); tcomp->xend = JPC_CEILDIV(tile->xend, cmpt->hstep); tcomp->yend = JPC_CEILDIV(tile->yend, cmpt->vstep);
Divisor: cmpt->hstep, cmpt->vstep
Result: Could be 0, Please Check.

4.in function jas_cmxform_apply, jas_cm.c#542
*bufptr = (v - bias) / scale;
Divisor: scale
Result: Could be 0, Please Check.

@kloczek
Copy link

kloczek commented Mar 9, 2019

Can you tell something about your scanner? :)
Is it possible to have look on it or try it?

@stuartly
Copy link

Sure, the link of the scanner is: https://github.com/stuartly/MissingCheck

@MaxKellermann
Copy link
Contributor

Bug 1 has been fixed in our fork: https://github.com/jasper-maint/jasper/

@jubalh jubalh closed this as completed in fd564ee Jul 28, 2020
jubalh added a commit to jubalh/buildroot that referenced this issue Jul 28, 2020
Changes:
* Fix CVE-2018-9154
  jasper-software/jasper#215
  jasper-software/jasper#166
  jasper-software/jasper#175
  jasper-maint/jasper#8

* Fix CVE-2018-19541
  jasper-software/jasper#199
  jasper-maint/jasper#6

* Fix CVE-2016-9399, CVE-2017-13751
  jasper-maint/jasper#1

* Fix CVE-2018-19540
  jasper-software/jasper#182
  jasper-maint/jasper#22

* Fix CVE-2018-9055
  jasper-maint/jasper#9

* Fix CVE-2017-13748
  jasper-software/jasper#168

* Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505
  jasper-maint/jasper#3
  jasper-maint/jasper#4
  jasper-maint/jasper#5
  jasper-software/jasper#88
  jasper-software/jasper#89
  jasper-software/jasper#90

* Fix CVE-2018-9252
  jasper-maint/jasper#16

* Fix CVE-2018-19139
  jasper-maint/jasper#14

* Fix CVE-2018-19543, CVE-2017-9782
  jasper-maint/jasper#13
  jasper-maint/jasper#18
  jasper-software/jasper#140
  jasper-software/jasper#182

* Fix CVE-2018-20570
  jasper-maint/jasper#11
  jasper-software/jasper#191

* Fix CVE-2018-20622
  jasper-maint/jasper#12
  jasper-software/jasper#193

* Fix CVE-2016-9398
  jasper-maint/jasper#10

* Fix CVE-2017-14132
  jasper-maint/jasper#17

* Fix CVE-2017-5499
  jasper-maint/jasper#2
  jasper-software/jasper#63

* Fix CVE-2018-18873
  jasper-maint/jasper#15
  jasper-software/jasper#184

* Fix jasper-software/jasper#207

* Fix jasper-software/jasper#194 part 1

* Fix CVE-2017-13750
  jasper-software/jasper#165
  jasper-software/jasper#174

* New option -DJAS_ENABLE_HIDDEN=true to not export internal symbols in the public symbol table

* Fix various memory leaks

* Plenty of code cleanups, and performance improvements
@abergmann
Copy link

CVE-2021-27845 was assigned to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants