Invalid memory write in jas_icc.c:1333:23

[pip-izony]

Environment

Ubuntu 22.04.3 LTS

Compiler

clang version 11.0.0
Target: x86_64-unknown-linux-gnu
Thread model: posix

Affected Version

jasper 4.1.1

Step to reproduce

pushd jasper
mkdir builds
mkdir install
export SOURCE_DIR=$PWD
export INSTALL_DIR=$SOURCE_DIR/install
export BUILD_DIR=$SOURCE_DIR/builds
cmake -H$SOURCE_DIR -B$BUILD_DIR -DCMAKE_INSTALL_PREFIX=$INSTALL_DIR -DJAS_ENABLE_SHARED=false
cmake --build $BUILD_DIR --target install

pushd builds/src/app
./jasper -f <PoCfile> -T jp2

Contents of PoCfile

Unzip the file below.

PoC.zip

Expected behavior

Print error or warning messages handled within jasper.

Current behavior

warning: skipping unknown tag type
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1700826==ERROR: AddressSanitizer: SEGV on unknown address 0x6041000022ef (pc 0x00000054868c bp 0x0c220000014f sp 0x7ffc39e39f40 T0)
==1700826==The signal is caused by a WRITE memory access.
    #0 0x54868c in jas_icctxt_input /home/Desktop/work_space/jasper/src/libjasper/base/jas_icc.c:1333:23
    #1 0x5362da in jas_iccprof_load /home/Desktop/work_space/asper/src/libjasper/base/jas_icc.c:404:7
    #2 0x5411ce in jas_iccprof_createfrombuf /home/Desktop/work_space/jasper/src/libjasper/base/jas_icc.c:1870:15
    #3 0x5c97f5 in jp2_decode /home/Desktop/work_space/jasper/src/libjasper/jp2/jp2_dec.c:312:13
    #4 0x56251b in jas_image_decode /home/Desktop/work_space/jasper/src/libjasper/base/jas_image.c:445:16
    #5 0x4fc883 in main /home/Desktop/work_space/jasper/src/app/jasper.c:320:16
    #6 0x7f7e97629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7f7e97629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #8 0x41f664 in _start (/home/Desktop/work_space/jasper/builds/src/app/jasper+0x41f664)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/Desktop/work_space/jasper/src/libjasper/base/jas_icc.c:1333:23 in jas_icctxt_input
==1700826==ABORTING

[jubalh]

@mdadams Thanks for handling this so fast!

Fix confirmed:

jasper -f PoC -T jp2
warning: skipping unknown tag type
error: failed to parse ICC profile
jas_image_decode: decode operation failed
error: cannot load image data

[jubalh]

@pip-izony did you request a CVE for this, or do you plan to request one?
Otherwise we'll do that.

[pip-izony]

@pip-izony did you request a CVE for this, or do you plan to request one? Otherwise we'll do that.

I want to report it to CVE.
But if you reported this bug, do I have something to do?

[jubalh]

I want to report it to CVE.

Ok, then I'll wait :) Please comment the assigned CVE here once you have it.

If you report this bug, do I need to do it myself?

I didn't do it yet. I thought I'll ask you first whether you prefer to do it yourself.

[pip-izony]

Ok then I will report the bug.
Thank you for your reply:)

[pip-izony]

This issue has been assigned CVE-2023-51257

[uvic-frodo]

@jubalh I updated the NEWS file to mention this CVE.

[L1-0]

Could you add further info of the impact this bug has? Is there a possibility to leverage this into a RCE condition?

[jubalh]

Could you add further info of the impact this bug has? Is there a possibility to leverage this into a RCE condition?

This is a task for security researchers. We are upstream writing and maintaining an image library.

Affected people can update to the latest version. Distributions already started backporting the fix into released versions.