heap-based buffer overflow in jas_image_chclrspc(jas_image.c)

[Twi1ight]

A heap overflow is found in jasper, and the tested commit is 806750f

#jasper # -f crash-mif-ras-heap-over-read -t mif -T ras -F 1 -S
out-of-bounds read in src/libjasper/base/jas_image.c:1259
==42283==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000003f0 at pc 0x0000005522aa bp 0x7fffffffd680 sp 0x7fffffffd678
READ of size 8 at 0x6020000003f0 thread T0
    #0 0x5522a9 in jas_image_ishomosamp /jasper/src/libjasper/base/jas_image.c:1259:10
    #1 0x552883 in jas_image_chclrspc /jasper/src/libjasper/base/jas_image.c:1452:7
    #2 0x514f1a in main /jasper/src/appl/jasper.c:266:20
    #3 0x7ffff6c96f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
    #4 0x41fd2b in _start (/jasper/tmp/src/appl/jasper+0x41fd2b)

0x6020000003f1 is located 0 bytes to the right of 1-byte region [0x6020000003f0,0x6020000003f1)
allocated by thread T0 here:
    #0 0x4ddfc8 in malloc (/jasper/tmp/src/appl/jasper+0x4ddfc8)
    #1 0x556bb7 in jas_malloc /jasper/src/libjasper/base/jas_malloc.c:241:11
    #2 0x556f8b in jas_alloc2 /jasper/src/libjasper/base/jas_malloc.c:274:9
    #3 0x542b8e in jas_image_growcmpts /jasper/src/libjasper/base/jas_image.c:889:32
    #4 0x5426e4 in jas_image_copy /jasper/src/libjasper/base/jas_image.c:237:6
    #5 0x552840 in jas_image_chclrspc /jasper/src/libjasper/base/jas_image.c:1448:18
    #6 0x514f1a in main /jasper/src/appl/jasper.c:266:20
    #7 0x7ffff6c96f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow /jasper/src/libjasper/base/jas_image.c:1259:10 in jas_image_ishomosamp
Shadow bytes around the buggy address:
  0x0c047fff8020: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff8030: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff8040: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff8050: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 01 fa
  0x0c047fff8060: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa fd fd
=>0x0c047fff8070: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa[01]fa
  0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

According to the output by AddressSanitizer, I try to analyse with gdb.
by set breadpoint at jas_image_copy

Breakpoint 1, jas_image_copy (image=0x0) at jasper/src/libjasper/base/jas_image.c:229
229	{
(gdb) n
233		if (!(newimage = jas_image_create0())) {
(gdb) n 
237		if (jas_image_growcmpts(newimage, image->numcmpts_)) {
(gdb) p *image 
$5 = {tlx_ = 0, tly_ = 0, brx_ = 0, bry_ = 0, numcmpts_ = 0, maxcmpts_ = 0, cmpts_ = 0x0, clrspc_ = 16384, cmprof_ = 0x0}

as we can see, the image->numcmpts_ is 0, and image->cmpts_ is 0 too.
in jas_image_growcmpts, newcmpts is alloc according the image->numcmpts_ which is 0.
finnaly alloced by pass 0 to malloc which will return a heap address. in the later access in jas_image_ishomosamp

int jas_image_ishomosamp(jas_image_t *image)
{
     ......
	hstep = jas_image_cmpthstep(image, 0);

jas_image_cmpthstep defined in src/libjasper/include/jasper/jas_image.h:383

/* Get the horizontal subsampling factor for a component. */
#define	jas_image_cmpthstep(image, cmptno) \
	((image)->cmpts_[cmptno]->hstep_)   //here will cause the heap over read

poc file:
crash-mif-ras-heap-over-read.zip

[carnil]

This issue has been assigned CVE-2017-14132

[thoger]

Given the analysis above, it seems reasonable to patch this by having jas_image_growcmpts() return error when maxcmpts is less than or equal to 0. Or handle image->numcmpts_ == 0 in jas_image_copy().

[D0x17]

Thanks for the report, I do not understand what in your proof of concept makes "maxcmpts" less than zero.
Do you think, this exist only in libjasper? Have you got imginfo checked?
I have a workaround, I shall provide when I make sure of it.

[MaxKellermann]

Since this project has been mostly dead for several years, we created a fork which aims to fix all vulnerabilities (of which there are many).
This bug will be fixed by jasper-maint/jasper#38 (merge pending)

[jubalh]

We merge dour changes from jasper-maint/jasper in this repo now.