Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

double free on jpeg parsing #31

Closed
hannob opened this issue Oct 16, 2016 · 2 comments
Closed

double free on jpeg parsing #31

hannob opened this issue Oct 16, 2016 · 2 comments

Comments

@hannob
Copy link

@hannob hannob commented Oct 16, 2016

The attached file (when passed to imginfo) will cause a double free. Found with american fuzzy lop.
jasper-doublefree-mem_close.zip

Stack trace from asan:

==9522==ERROR: AddressSanitizer: attempting double-free on 0x619000003780 in thread T0:
    #0 0x4c0f00 in __interceptor_free (/r/jasper/imginfo+0x4c0f00)
    #1 0x51050d in mem_close /f/jasper/src/libjasper/base/jas_stream.c:1079:3
    #2 0x507757 in jas_stream_close /f/jasper/src/libjasper/base/jas_stream.c:466:2
    #3 0x4f47e8 in jas_image_cmpt_destroy /f/jasper/src/libjasper/base/jas_image.c:343:3
    #4 0x4f47e8 in jas_image_cmpt_create /f/jasper/src/libjasper/base/jas_image.c:333
    #5 0x4f93d8 in jas_image_addcmpt /f/jasper/src/libjasper/base/jas_image.c:677:18
    #6 0x5b4a42 in jpg_mkimage /f/jasper/src/libjasper/jpg/jpg_dec.c:247:7
    #7 0x5b4a42 in jpg_decode /f/jasper/src/libjasper/jpg/jpg_dec.c:171
    #8 0x4f6032 in jas_image_decode /f/jasper/src/libjasper/base/jas_image.c:372:16
    #9 0x4f23cf in main /f/jasper/src/appl/imginfo.c:188:16
    #10 0x7f8cf356978f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #11 0x4195d8 in _start (/r/jasper/imginfo+0x4195d8)

0x619000003780 is located 0 bytes inside of 1024-byte region [0x619000003780,0x619000003b80)
freed by thread T0 here:
    #0 0x4c1588 in realloc (/r/jasper/imginfo+0x4c1588)
    #1 0x501bc2 in jas_realloc2 /f/jasper/src/libjasper/base/jas_malloc.c:160:9

previously allocated by thread T0 here:
    #0 0x4c1208 in malloc (/r/jasper/imginfo+0x4c1208)
    #1 0x50715d in jas_stream_memopen /f/jasper/src/libjasper/base/jas_stream.c:215:15

SUMMARY: AddressSanitizer: double-free (/r/jasper/imginfo+0x4c0f00) in __interceptor_free
==9522==ABORTING
@asarubbo
Copy link

@asarubbo asarubbo commented Oct 17, 2016

duplicate of #25

@mdadams
Copy link
Collaborator

@mdadams mdadams commented Oct 20, 2016

Since this bug report is a duplicate of #25 and #25 has been fixed, I am marking this closed.

@mdadams mdadams closed this Oct 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.