I found a heap buffer overflow vulnerability in the current master branch (release version 2.0.24)
poc file : hoob_8.zip
ASAN report
appl git:(master) ✗ ./jasper --input ../../../hoob_8 --output test.jp2
warning: not enough tile data (25 bytes)
warning: bad segmentation symbol
warning: bad segmentation symbol
warning: bad segmentation symbol
warning: bad segmentation symbol
warning: component data type mismatch
=================================================================
==66520==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000002f8 at pc 0x7f641ad754be bp 0x7fffbeaa2a50 sp 0x7fffbeaa2a48
READ of size 8 at 0x6020000002f8 thread T0
#0 0x7f641ad754bd in jp2_decode /home/kaka/fuzz/jasper/jasper/src/libjasper/jp2/jp2_dec.c:434:4
#1 0x7f641ad60188 in jas_image_decode /home/kaka/fuzz/jasper/jasper/src/libjasper/base/jas_image.c:436:16
#2 0x4f8d08 in main /home/kaka/fuzz/jasper/jasper/src/appl/jasper.c:235:16
#3 0x7f6419bde83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
#4 0x41b658 in _start (/home/kaka/fuzz/jasper/jasper/fuzz/src/appl/jasper+0x41b658)
0x6020000002f8 is located 0 bytes to the right of 8-byte region [0x6020000002f0,0x6020000002f8)
allocated by thread T0 here:
#0 0x4c7613 in malloc (/home/kaka/fuzz/jasper/jasper/fuzz/src/appl/jasper+0x4c7613)
#1 0x7f641ad668c8 in jas_malloc /home/kaka/fuzz/jasper/jasper/src/libjasper/base/jas_malloc.c:238:11
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/kaka/fuzz/jasper/jasper/src/libjasper/jp2/jp2_dec.c:434:4 in jp2_decode
Shadow bytes around the buggy address:
0x0c047fff8000: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
0x0c047fff8010: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
0x0c047fff8020: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
0x0c047fff8030: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
0x0c047fff8040: fa fa 04 fa fa fa 04 fa fa fa 03 fa fa fa fd fa
=>0x0c047fff8050: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 00[fa]
0x0c047fff8060: fa fa 00 04 fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff8070: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fff8080: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8090: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fa fa
0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==66520==ABORTING
CVE-2021-3272 has assigned for the issue
Found by luo likang of NSFOCUS Security Team
The text was updated successfully, but these errors were encountered:
I found a heap buffer overflow vulnerability in the current master branch (release version 2.0.24)
poc file : hoob_8.zip
ASAN report
CVE-2021-3272 has assigned for the issue
Found by luo likang of NSFOCUS Security Team
The text was updated successfully, but these errors were encountered: