-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A reachable assertion abort in function jpc_abstorelstepsize #173
Comments
@YourButterfly has there been any solution for this issue? I am having the same failure reported while attempting to run a grib2 encoder. |
I think this issue got assigned CVE-2018-9252. @ajhenrique In case you haven't read it. You might be interested in reading the open issue titled |
@jubalh thank you for the follow up. In lieu of a bugfix, is there any known workaround for this specific problem? |
The workaround is to use openjpeg. |
For posterity, the above is reference to issue #208. |
Since this project has been mostly dead for several years, we created a fork which aims to fix all vulnerabilities (of which there are many). |
Merged! |
Description of problem:
There is a reachable assertion abort in function jpc_abstorelstepsize of JasPer that will lead to remote denial of service attack.
Version-Release number of selected component (if applicable):
<=libjasper 2.0.14
The output information is as follows:
The gdb debugging information is listed below:
#0 0x00007ffff7760428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
, argc=9, argv=0x7fffffffdb28, init=, fini=, rtld_fini=, stack_end=0x7fffffffdb18) at ../csu/libc-start.c:291#1 0x00007ffff776202a in __GI_abort () at abort.c:89
#2 0x00007ffff7758bd7 in _assert_fail_base (fmt=, assertion=assertion@entry=0x7ffff7b98c29 "!((expn) & (~0x"..., file=file@entry=0x7ffff7b98bf0 "/home/pwd/fuzz"..., line=line@entry=186, function=function@entry=0x7ffff7b996c0 <PRETTY_FUNCTION.6479> "jpc_abstorelste"...) at assert.c:92
#3 0x00007ffff7758c82 in _GI___assert_fail (assertion=0x7ffff7b98c29 "!((expn) & (~0x"..., file=0x7ffff7b98bf0 "/home/pwd/fuzz"..., line=186, function=0x7ffff7b996c0 <PRETTY_FUNCTION.6479> "jpc_abstorelste"...) at assert.c:101
#4 0x00007ffff7b4cc0d in jpc_abstorelstepsize (absdelta=8192, scaleexpn=72) at /home/pwd/fuzz_jasper/jasper/src/libjasper/jpc/jpc_enc.c:186
#5 0x00007ffff7b5029e in jpc_enc_encodemainhdr (enc=0x60f880) at /home/pwd/fuzz_jasper/jasper/src/libjasper/jpc/jpc_enc.c:1018
#6 0x00007ffff7b4cdb7 in jpc_encode (image=0x611860, out=0x60d580, optstr=0x7fffffffc920 "\n_jp2overhead=9"...) at /home/pwd/fuzz_jasper/jasper/src/libjasper/jpc/jpc_enc.c:302
#7 0x00007ffff7b3a86f in jp2_encode (image=0x611860, out=0x60d580, optstr=0x0) at /home/pwd/fuzz_jasper/jasper/src/libjasper/jp2/jp2_enc.c:397
#8 0x00007ffff7b1fc00 in jas_image_encode (image=0x611860, out=0x60d580, fmt=4, optstr=0x0) at /home/pwd/fuzz_jasper/jasper/src/libjasper/base/jas_image.c:469
#9 0x000000000040252c in main (argc=9, argv=0x7fffffffdb28) at /home/pwd/fuzz_jasper/jasper/src/appl/jasper.c:277
#10 0x00007ffff774b830 in __libc_start_main (main=0x401c76
#11 0x0000000000401ba9 in _start ()
Additional info:
Credits:
pwd@360TeamSerious
poc https://github.com/TeamSeri0us/pocs/blob/master/jasper/jpc_abstorelstepsize_Assertion_poc
The text was updated successfully, but these errors were encountered: