A reachable assertion abort in function jpc_abstorelstepsize

[YourButterfly]

Description of problem:

There is a reachable assertion abort in function jpc_abstorelstepsize of JasPer that will lead to remote denial of service attack.

Version-Release number of selected component (if applicable):

<=libjasper 2.0.14

The output information is as follows:

$ ../../../../jasper/jasper-debug/bin/jasper --input poc --input-format jpc --output out.jp2 --output-format jp2
jasper: /home/pwd/fuzz_jasper/jasper/src/libjasper/jpc/jpc_enc.c:186: jpc_abstorelstepsize: Assertion `!((expn) & (~0x1f))' failed.
Aborted (core dumped)

The gdb debugging information is listed below:

#0 0x00007ffff7760428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff776202a in __GI_abort () at abort.c:89
#2 0x00007ffff7758bd7 in _assert_fail_base (fmt=, assertion=assertion@entry=0x7ffff7b98c29 "!((expn) & (~0x"..., file=file@entry=0x7ffff7b98bf0 "/home/pwd/fuzz"..., line=line@entry=186, function=function@entry=0x7ffff7b996c0 <PRETTY_FUNCTION.6479> "jpc_abstorelste"...) at assert.c:92
#3 0x00007ffff7758c82 in _GI___assert_fail (assertion=0x7ffff7b98c29 "!((expn) & (~0x"..., file=0x7ffff7b98bf0 "/home/pwd/fuzz"..., line=186, function=0x7ffff7b996c0 <PRETTY_FUNCTION.6479> "jpc_abstorelste"...) at assert.c:101
#4 0x00007ffff7b4cc0d in jpc_abstorelstepsize (absdelta=8192, scaleexpn=72) at /home/pwd/fuzz_jasper/jasper/src/libjasper/jpc/jpc_enc.c:186
#5 0x00007ffff7b5029e in jpc_enc_encodemainhdr (enc=0x60f880) at /home/pwd/fuzz_jasper/jasper/src/libjasper/jpc/jpc_enc.c:1018
#6 0x00007ffff7b4cdb7 in jpc_encode (image=0x611860, out=0x60d580, optstr=0x7fffffffc920 "\n_jp2overhead=9"...) at /home/pwd/fuzz_jasper/jasper/src/libjasper/jpc/jpc_enc.c:302
#7 0x00007ffff7b3a86f in jp2_encode (image=0x611860, out=0x60d580, optstr=0x0) at /home/pwd/fuzz_jasper/jasper/src/libjasper/jp2/jp2_enc.c:397
#8 0x00007ffff7b1fc00 in jas_image_encode (image=0x611860, out=0x60d580, fmt=4, optstr=0x0) at /home/pwd/fuzz_jasper/jasper/src/libjasper/base/jas_image.c:469
#9 0x000000000040252c in main (argc=9, argv=0x7fffffffdb28) at /home/pwd/fuzz_jasper/jasper/src/appl/jasper.c:277
#10 0x00007ffff774b830 in __libc_start_main (main=0x401c76

, argc=9, argv=0x7fffffffdb28, init=, fini=, rtld_fini=, stack_end=0x7fffffffdb18) at ../csu/libc-start.c:291
#11 0x0000000000401ba9 in _start ()

jpc_abstorelstepsize in jpc_enc.c
```c
static uint_fast32_t jpc_abstorelstepsize(jpc_fix_t absdelta, int scaleexpn)
{
	int p;
	uint_fast32_t mant;
	uint_fast32_t expn;
	int n;

	if (absdelta < 0) {
		abort();
	}

	p = jpc_firstone(absdelta) - JPC_FIX_FRACBITS;
	n = 11 - jpc_firstone(absdelta);
	mant = ((n < 0) ? (absdelta >> (-n)) : (absdelta << n)) & 0x7ff;
	expn = scaleexpn - p;
	if (scaleexpn < p) {
		abort();
	}
	return JPC_QCX_EXPN(expn) | JPC_QCX_MANT(mant);
}

Additional info:

Credits:

pwd@360TeamSerious

poc https://github.com/TeamSeri0us/pocs/blob/master/jasper/jpc_abstorelstepsize_Assertion_poc

[ajhenrique]

@YourButterfly has there been any solution for this issue? I am having the same failure reported while attempting to run a grib2 encoder.

[jubalh]

I think this issue got assigned CVE-2018-9252.
To my knowledge it is unfixed.

@ajhenrique In case you haven't read it. You might be interested in reading the open issue titled State of jasper.

[ajhenrique]

@jubalh thank you for the follow up. In lieu of a bugfix, is there any known workaround for this specific problem?

[jubalh]

The workaround is to use openjpeg.

[thoger]

You might be interested in reading the open issue titled State of jasper.

For posterity, the above is reference to issue #208.

[MaxKellermann]

Since this project has been mostly dead for several years, we created a fork which aims to fix all vulnerabilities (of which there are many).
This bug will be fixed by jasper-maint/jasper#38 (merge pending)

[jubalh]

Merged!