10 bugs found by AFLSmart (heap buffer overflows, Null pointer dereference and assertion failures) #182
Comments
|
@thuanpv is AFLSmart publicly available? |
|
Thanks @asarubbo for your interest in AFLSmart. It is not publicly available yet. We would make it open source soon and I will keep you posted. |
|
I had a look at these issues a while ago and I came up with some simple patches suitable for backports to older versions of jasper. They may be too simple but I could successfully prevent the NULL pointer dereferences and heap-based overflows. Bug 2: CVE-2018-19539 The assertion is triggered because data == NULL. https://gist.github.com/apoleon/7c0f3a0c28437c18fee8a51b1aa16164 Bug 4: CVE-2018-19542 The function jp2_getct returns a NULL pointer. I did not look into this further but the crash can be prevented by adding this check. https://gist.github.com/apoleon/701d7db34d63faa16463935b1465c74e Bug 3: CVE-2018-19540: If txtdesc->asclen is < 1, the array index of txtdesc->ascdata will be negative which causes the heap based overflow. https://gist.github.com/apoleon/13598a45bf6522f6a79b77a629205823 Bug 1: CVE-2018-19541: The index v of lutents[v] will be negative if numlutents is smaller than 1. https://gist.github.com/apoleon/3e9d4e86c51d16c7e551a1cc538528b9 Bug 5: CVE-2018-19543: The bug appears to be related to CVE-2014-8138. I can reproduce this issue with ASAN. However without ASAN the guard in jp2_decode works as expected. /* Is the channel number reasonable? */ dec->cdef->data.cdef.ents[i].channo is much larger than dec->numchans and we goto error. I fail to understand why ASAN thinks this one causes a heap-based overflow, might be a false-positive. |
This was referenced Jan 3, 2019
Closed
Closed
|
FYI, AFLSmart now is available at https://github.com/aflsmart/aflsmart |
jubalh
added a commit
to jubalh/jasper
that referenced
this issue
Mar 15, 2019
Regards CVE-2018-19542. Regards jasper-software#182. Adapted fix from Markus Koschany <apo@debian.org>. From https://gist.github.com/apoleon/701d7db34d63faa16463935b1465c74e
jubalh
added a commit
to jubalh/jasper
that referenced
this issue
Mar 15, 2019
If txtdesc->asclen is < 1, the array index of txtdesc->ascdata will be negative which causes the heap based overflow. Regards CVE-2018-19540. Regards jasper-software#182 bug#3 Fix by Markus Koschany <apo@debian.org>. From https://gist.github.com/apoleon/13598a45bf6522f6a79b77a629205823
jubalh
added a commit
to jubalh/jasper
that referenced
this issue
Mar 15, 2019
The index v of lutents[v] will be negative if numlutents is smaller than 1. This causes the heap-based buffer overflow because the lutents[] starts at 0. Regards CVE-2018-19541. Regards jasper-software#182 bug#1 Fix by Markus Koschany apo@debian.org. From https://gist.github.com/apoleon/3e9d4e86c51d16c7e551a1cc538528b9
|
Fix for CVE-2018-19542 is incorrect it breaks support of correct .jp2 files bug-19542.jp2.zip. Please, see my PR #200. |
10 tasks
Closed
This was referenced Jun 15, 2020
jubalh
added a commit
to jasper-maint/jasper
that referenced
this issue
Jun 15, 2020
If txtdesc->asclen is < 1, the array index of txtdesc->ascdata will be negative which causes the heap based overflow. Regards CVE-2018-19540. Regards jasper-software/jasper#182 bug#3 Fix by Markus Koschany <apo@debian.org>. From https://gist.github.com/apoleon/13598a45bf6522f6a79b77a629205823 See: jasper-software/jasper#198 Fix #22
jubalh
pushed a commit
to jasper-maint/jasper
that referenced
this issue
Jun 16, 2020
If txtdesc->asclen is < 1, the array index of txtdesc->ascdata will be negative which causes the heap based overflow. Regards CVE-2018-19540. Regards jasper-software/jasper#182 bug#3 Fix by Markus Koschany <apo@debian.org>. From https://gist.github.com/apoleon/13598a45bf6522f6a79b77a629205823 See: jasper-software/jasper#198 Fix #22
jubalh
pushed a commit
to jasper-maint/jasper
that referenced
this issue
Jun 18, 2020
If txtdesc->asclen is < 1, the array index of txtdesc->ascdata will be negative which causes the heap based overflow. Regards CVE-2018-19540. Regards jasper-software/jasper#182 bug#3 Fix by Markus Koschany <apo@debian.org>. From https://gist.github.com/apoleon/13598a45bf6522f6a79b77a629205823 Location adapted. See: jasper-software/jasper#198 Fix #22
jubalh
pushed a commit
to jasper-maint/jasper
that referenced
this issue
Jun 19, 2020
If txtdesc->asclen is < 1, the array index of txtdesc->ascdata will be negative which causes the heap based overflow. Regards CVE-2018-19540. Regards jasper-software/jasper#182 bug#3 Fix by Markus Koschany <apo@debian.org>. From https://gist.github.com/apoleon/13598a45bf6522f6a79b77a629205823 Location adapted. See: jasper-software/jasper#198 Fix #22
jubalh
pushed a commit
to jasper-maint/jasper
that referenced
this issue
Jun 19, 2020
Patch by Timothy Lyanguzov <timothy.lyanguzov@sap.com> originally proposed at jasper-software/jasper#200. To fix jasper-software/jasper#182. Instead of jasper-software/jasper#197 / https://gist.github.com/apoleon/701d7db34d63faa16463935b1465c74e. Fix #7
|
Since this project has been mostly dead for several years, we created a fork which aims to fix all vulnerabilities (of which there are many). |
jubalh
added a commit
to jubalh/buildroot
that referenced
this issue
Jul 28, 2020
Changes: * Fix CVE-2018-9154 jasper-software/jasper#215 jasper-software/jasper#166 jasper-software/jasper#175 jasper-maint/jasper#8 * Fix CVE-2018-19541 jasper-software/jasper#199 jasper-maint/jasper#6 * Fix CVE-2016-9399, CVE-2017-13751 jasper-maint/jasper#1 * Fix CVE-2018-19540 jasper-software/jasper#182 jasper-maint/jasper#22 * Fix CVE-2018-9055 jasper-maint/jasper#9 * Fix CVE-2017-13748 jasper-software/jasper#168 * Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505 jasper-maint/jasper#3 jasper-maint/jasper#4 jasper-maint/jasper#5 jasper-software/jasper#88 jasper-software/jasper#89 jasper-software/jasper#90 * Fix CVE-2018-9252 jasper-maint/jasper#16 * Fix CVE-2018-19139 jasper-maint/jasper#14 * Fix CVE-2018-19543, CVE-2017-9782 jasper-maint/jasper#13 jasper-maint/jasper#18 jasper-software/jasper#140 jasper-software/jasper#182 * Fix CVE-2018-20570 jasper-maint/jasper#11 jasper-software/jasper#191 * Fix CVE-2018-20622 jasper-maint/jasper#12 jasper-software/jasper#193 * Fix CVE-2016-9398 jasper-maint/jasper#10 * Fix CVE-2017-14132 jasper-maint/jasper#17 * Fix CVE-2017-5499 jasper-maint/jasper#2 jasper-software/jasper#63 * Fix CVE-2018-18873 jasper-maint/jasper#15 jasper-software/jasper#184 * Fix jasper-software/jasper#207 * Fix jasper-software/jasper#194 part 1 * Fix CVE-2017-13750 jasper-software/jasper#165 jasper-software/jasper#174 * New option -DJAS_ENABLE_HIDDEN=true to not export internal symbols in the public symbol table * Fix various memory leaks * Plenty of code cleanups, and performance improvements
buildroot-auto-update
pushed a commit
to buildroot/buildroot
that referenced
this issue
Aug 3, 2020
Fixes the following security issues: * Fix CVE-2018-9154 jasper-software/jasper#215 jasper-software/jasper#166 jasper-software/jasper#175 jasper-maint/jasper#8 * Fix CVE-2018-19541 jasper-software/jasper#199 jasper-maint/jasper#6 * Fix CVE-2016-9399, CVE-2017-13751 jasper-maint/jasper#1 * Fix CVE-2018-19540 jasper-software/jasper#182 jasper-maint/jasper#22 * Fix CVE-2018-9055 jasper-maint/jasper#9 * Fix CVE-2017-13748 jasper-software/jasper#168 * Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505 jasper-maint/jasper#3 jasper-maint/jasper#4 jasper-maint/jasper#5 jasper-software/jasper#88 jasper-software/jasper#89 jasper-software/jasper#90 * Fix CVE-2018-9252 jasper-maint/jasper#16 * Fix CVE-2018-19139 jasper-maint/jasper#14 * Fix CVE-2018-19543, CVE-2017-9782 jasper-maint/jasper#13 jasper-maint/jasper#18 jasper-software/jasper#140 jasper-software/jasper#182 * Fix CVE-2018-20570 jasper-maint/jasper#11 jasper-software/jasper#191 * Fix CVE-2018-20622 jasper-maint/jasper#12 jasper-software/jasper#193 * Fix CVE-2016-9398 jasper-maint/jasper#10 * Fix CVE-2017-14132 jasper-maint/jasper#17 * Fix CVE-2017-5499 jasper-maint/jasper#2 jasper-software/jasper#63 * Fix CVE-2018-18873 jasper-maint/jasper#15 jasper-software/jasper#184 * Fix CVE-2017-13750 jasper-software/jasper#165 jasper-software/jasper#174 Furthermore, drop now upstreamed patches and change to the new jasper-software upstream location. Signed-off-by: Michael Vetter <jubalh@iodoru.org> [Peter: reword for security bump] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
woodsts
pushed a commit
to woodsts/buildroot
that referenced
this issue
Aug 18, 2020
Fixes the following security issues: * Fix CVE-2018-9154 jasper-software/jasper#215 jasper-software/jasper#166 jasper-software/jasper#175 jasper-maint/jasper#8 * Fix CVE-2018-19541 jasper-software/jasper#199 jasper-maint/jasper#6 * Fix CVE-2016-9399, CVE-2017-13751 jasper-maint/jasper#1 * Fix CVE-2018-19540 jasper-software/jasper#182 jasper-maint/jasper#22 * Fix CVE-2018-9055 jasper-maint/jasper#9 * Fix CVE-2017-13748 jasper-software/jasper#168 * Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505 jasper-maint/jasper#3 jasper-maint/jasper#4 jasper-maint/jasper#5 jasper-software/jasper#88 jasper-software/jasper#89 jasper-software/jasper#90 * Fix CVE-2018-9252 jasper-maint/jasper#16 * Fix CVE-2018-19139 jasper-maint/jasper#14 * Fix CVE-2018-19543, CVE-2017-9782 jasper-maint/jasper#13 jasper-maint/jasper#18 jasper-software/jasper#140 jasper-software/jasper#182 * Fix CVE-2018-20570 jasper-maint/jasper#11 jasper-software/jasper#191 * Fix CVE-2018-20622 jasper-maint/jasper#12 jasper-software/jasper#193 * Fix CVE-2016-9398 jasper-maint/jasper#10 * Fix CVE-2017-14132 jasper-maint/jasper#17 * Fix CVE-2017-5499 jasper-maint/jasper#2 jasper-software/jasper#63 * Fix CVE-2018-18873 jasper-maint/jasper#15 jasper-software/jasper#184 * Fix CVE-2017-13750 jasper-software/jasper#165 jasper-software/jasper#174 Furthermore, drop now upstreamed patches and change to the new jasper-software upstream location. Signed-off-by: Michael Vetter <jubalh@iodoru.org> [Peter: reword for security bump] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit d0f7b24) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
woodsts
pushed a commit
to woodsts/buildroot
that referenced
this issue
Aug 18, 2020
Fixes the following security issues: * Fix CVE-2018-9154 jasper-software/jasper#215 jasper-software/jasper#166 jasper-software/jasper#175 jasper-maint/jasper#8 * Fix CVE-2018-19541 jasper-software/jasper#199 jasper-maint/jasper#6 * Fix CVE-2016-9399, CVE-2017-13751 jasper-maint/jasper#1 * Fix CVE-2018-19540 jasper-software/jasper#182 jasper-maint/jasper#22 * Fix CVE-2018-9055 jasper-maint/jasper#9 * Fix CVE-2017-13748 jasper-software/jasper#168 * Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505 jasper-maint/jasper#3 jasper-maint/jasper#4 jasper-maint/jasper#5 jasper-software/jasper#88 jasper-software/jasper#89 jasper-software/jasper#90 * Fix CVE-2018-9252 jasper-maint/jasper#16 * Fix CVE-2018-19139 jasper-maint/jasper#14 * Fix CVE-2018-19543, CVE-2017-9782 jasper-maint/jasper#13 jasper-maint/jasper#18 jasper-software/jasper#140 jasper-software/jasper#182 * Fix CVE-2018-20570 jasper-maint/jasper#11 jasper-software/jasper#191 * Fix CVE-2018-20622 jasper-maint/jasper#12 jasper-software/jasper#193 * Fix CVE-2016-9398 jasper-maint/jasper#10 * Fix CVE-2017-14132 jasper-maint/jasper#17 * Fix CVE-2017-5499 jasper-maint/jasper#2 jasper-software/jasper#63 * Fix CVE-2018-18873 jasper-maint/jasper#15 jasper-software/jasper#184 * Fix CVE-2017-13750 jasper-software/jasper#165 jasper-software/jasper#174 Furthermore, drop now upstreamed patches and change to the new jasper-software upstream location. Signed-off-by: Michael Vetter <jubalh@iodoru.org> [Peter: reword for security bump] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit d0f7b24) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi all,
These bugs were found with AFLSmart, an input-structure aware extension of AFL. Thanks also to Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu.
These bugs were found on Ubuntu 16.04 64-bit -- Jasper revision 573a6e4 (HEAD)
To reproduce:
jasper --input <bug_triggering_file>.jp2 --input-format jp2 --output /dev/null --output-format bmp
Bug triggering files are attached.
Bug-1: Heap Buffer Overflow - Read of size 8 (jasper_bug_1.jp2)
ASAN says:
==58581==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e9c8 at pc 0x7f888adebb63 bp 0x7ffefa1c9e70 sp 0x7ffefa1c9e60
READ of size 8 at 0x60200000e9c8 thread T0
#0 0x7f888adebb62 in jas_image_depalettize /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:994
#1 0x7f888ae0e0ee in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:375
#2 0x7f888ade799c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#3 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#4 0x7f888aa0582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x401948 in _start (/home/ubuntu/aflsmart-experiments/jasper-asan/afl-build/src/appl/jasper+0x401948)
0x60200000e9c8 is located 8 bytes to the left of 1-byte region [0x60200000e9d0,0x60200000e9d1)
allocated by thread T0 here:
#0 0x7f888b1adec0 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6ec0)
#1 0x7f888adf17d0 in jas_malloc /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_malloc.c:241
#2 0x7f888adf19df in jas_alloc2 /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_malloc.c:274
#3 0x7f888ae0dd61 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:370
#4 0x7f888ade799c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#5 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#6 0x7f888aa0582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:994 in jas_image_depalettize
Bug-2: Access Violation (jasper_bug_2.jp2)
ASAN says:
ASAN:DEADLYSIGNAL
==183299==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7f2b29efed79 bp 0x7ffd5330cb50 sp 0x7ffd5330cac0 T0)
#0 0x7f2b29efed78 in jas_image_readcmpt /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:505
#1 0x7f2b29f1b21e in bmp_putdata /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/bmp/bmp_enc.c:324
#2 0x7f2b29f19f71 in bmp_encode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/bmp/bmp_enc.c:217
#3 0x7f2b29efeb5c in jas_image_encode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:469
#4 0x4024b4 in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:277
#5 0x7f2b29b1c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x401948 in _start (/home/ubuntu/aflsmart-experiments/jasper-asan/afl-build/src/appl/jasper+0x401948)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:505 in jas_image_readcmpt
Bug-3: Heap Buffer Overflow - Write of size 1 (jasper_bug_3.jp2)
ASAN says:
=================================================================
==58646==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000decf at pc 0x7f1939ddb26b bp 0x7ffe58ab9ee0 sp 0x7ffe58ab9ed0
WRITE of size 1 at 0x60200000decf thread T0
#0 0x7f1939ddb26a in jas_icctxtdesc_input /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:1107
#1 0x7f1939dd6523 in jas_iccprof_load /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:340
#2 0x7f1939de21f3 in jas_iccprof_createfrombuf /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:1727
#3 0x7f1939e0a213 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:298
#4 0x7f1939de499c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#5 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#6 0x7f1939a0282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x401948 in _start (/home/ubuntu/aflsmart-experiments/jasper-asan/afl-build/src/appl/jasper+0x401948)
0x60200000decf is located 1 bytes to the left of 1-byte region [0x60200000ded0,0x60200000ded1)
allocated by thread T0 here:
#0 0x7f193a1aaec0 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6ec0)
#1 0x7f1939dee7d0 in jas_malloc /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_malloc.c:241
#2 0x7f1939ddb0ff in jas_icctxtdesc_input /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:1102
#3 0x7f1939dd6523 in jas_iccprof_load /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:340
#4 0x7f1939de21f3 in jas_iccprof_createfrombuf /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:1727
#5 0x7f1939e0a213 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:298
#6 0x7f1939de499c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#7 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#8 0x7f1939a0282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:1107 in jas_icctxtdesc_input
Bug-4: Null pointer dereference (jasper_bug_4.jp2)
ASAN says:
warning: trailing garbage in marker segment (3 bytes)
warning: trailing garbage in marker segment (32 bytes)
warning: not enough tile data (109 bytes)
warning: number of components mismatch
warning: component data type mismatch
ASAN:DEADLYSIGNAL
==13140==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb64d6cc802 bp 0x7ffce5a16ee0 sp 0x7ffce5a16d40 T0)
#0 0x7fb64d6cc801 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:417
#1 0x7fb64d6a599c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#2 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#3 0x7fb64d2c382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x401948 in _start (/home/ubuntu/aflsmart-experiments/jasper-asan/afl-build/src/appl/jasper+0x401948)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:417 in jp2_decode
Bug-5: Heap Buffer Overflow -- Read of size 8 (jasper_bug_5.jp2)
ASAN says:
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
warning: component data type mismatch
==152291==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ed70 at pc 0x7fc92f7873c3 bp 0x7ffe0ef9d3c0 sp 0x7ffe0ef9d3b0
READ of size 8 at 0x60200000ed70 thread T0
#0 0x7fc92f7873c2 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:405
#1 0x7fc92f76099c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#2 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#3 0x7fc92f37e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x401948 in _start (/home/ubuntu/aflsmart-experiments/jasper-asan/afl-build/src/appl/jasper+0x401948)
0x60200000ed71 is located 0 bytes to the right of 1-byte region [0x60200000ed70,0x60200000ed71)
allocated by thread T0 here:
#0 0x7fc92fb26ec0 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6ec0)
#1 0x7fc92f76a7d0 in jas_malloc /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_malloc.c:241
#2 0x7fc92f76a9df in jas_alloc2 /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_malloc.c:274
#3 0x7fc92f78090d in jp2_cdef_getdata /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_cod.c:479
#4 0x7fc92f77f93c in jp2_box_get /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_cod.c:312
#5 0x7fc92f785495 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:159
#6 0x7fc92f76099c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#7 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#8 0x7fc92f37e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:405 in jp2_decode
Bug-6: Assertion Failure (japer_bug_6.jp2)
jasper: /home/ubuntu/aflsmart-experiments/jasper/src/libjasper/jpc/jpc_math.c:94: jpc_floorlog2: Assertion `x > 0' failed.
==16546==
==16546== Process terminating with default action of signal 6 (SIGABRT)
==16546== at 0x523D428: raise (raise.c:54)
==16546== by 0x523F029: abort (abort.c:89)
==16546== by 0x5235BD6: __assert_fail_base (assert.c:92)
==16546== by 0x5235C81: __assert_fail (assert.c:101)
==16546== by 0x4F441EE: jpc_floorlog2 (jpc_math.c:94)
==16546== by 0x4FADB17: jpc_dec_decodepkt (jpc_t2dec.c:314)
==16546== by 0x4FADB17: jpc_dec_decodepkts (jpc_t2dec.c:454)
==16546== by 0x4F21745: jpc_dec_process_sod (jpc_dec.c:627)
==16546== by 0x4F1C938: jpc_dec_decode (jpc_dec.c:424)
==16546== by 0x4F1C938: jpc_decode (jpc_dec.c:261)
==16546== by 0x4EF832A: jp2_decode (jp2_dec.c:218)
==16546== by 0x4EA95B3: jas_image_decode (jas_image.c:442)
==16546== by 0x401C34: main (jasper.c:236)
Bug-7: SIGABRT - Aborted (jasper_bug_7.jp2)
==28280== Process terminating with default action of signal 6 (SIGABRT)
==28280== at 0x523D428: raise (raise.c:54)
==28280== by 0x523F029: abort (abort.c:89)
==28280== by 0x4F262E8: jpc_dec_process_sot (jpc_dec.c:488)
==28280== by 0x4F1C938: jpc_dec_decode (jpc_dec.c:424)
==28280== by 0x4F1C938: jpc_decode (jpc_dec.c:261)
==28280== by 0x4EF832A: jp2_decode (jp2_dec.c:218)
==28280== by 0x4EA95B3: jas_image_decode (jas_image.c:442)
==28280== by 0x401C34: main (jasper.c:236)
Bug-8: Assertion failure (jasper_bug_8.jp2)
Error message:
warning: not enough tile data (394 bytes)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
ICC Profile CS 47524159
jasper: /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:308: jp2_decode: Assertion `dec->image->cmprof_' failed.
Aborted
Stack trace:
==33135== Process terminating with default action of signal 6 (SIGABRT)
==33135== at 0x523D428: raise (raise.c:54)
==33135== by 0x523F029: abort (abort.c:89)
==33135== by 0x5235BD6: __assert_fail_base (assert.c:92)
==33135== by 0x5235C81: __assert_fail (assert.c:101)
==33135== by 0x4EFC8E6: jp2_decode (jp2_dec.c:308)
==33135== by 0x4EA95B3: jas_image_decode (jas_image.c:442)
==33135== by 0x401C34: main (jasper.c:236)
Bug-9: Assertion failure (japser_bug_9.jp2)
Valgrind says:
warning: trailing garbage in marker segment (30 bytes)
warning: ignoring unknown marker segment (0xff68)
type = 0xff68 (UNKNOWN); len = 37;00 01 43 ff 5f 61 74 80 00 00 00 79 28 00 10 65 88 4a 50 45 47 20 5e 65 72 73 51 6f 6e 20 32 2e 33 2e 30 jasper: /home/ubuntu/aflsmart-experiments/jasper/src/libjasper/jpc/jpc_dec.c:1703: calcstepsizes: Assertion `!((expn + (numrlvls - 1) - (numrlvls - 1 - ((bandno > 0) ? ((bandno + 2) / 3) : (0)))) & (~0x1f))' failed.
==109382==
==109382== Process terminating with default action of signal 6 (SIGABRT)
==109382== at 0x523D428: raise (raise.c:54)
==109382== by 0x523F029: abort (abort.c:89)
==109382== by 0x5235BD6: __assert_fail_base (assert.c:92)
==109382== by 0x5235C81: __assert_fail (assert.c:101)
==109382== by 0x4F24B2A: calcstepsizes (jpc_dec.c:1702)
==109382== by 0x4F24B2A: jpc_dec_cp_prepare (jpc_dec.c:1721)
==109382== by 0x4F24B2A: jpc_dec_process_sod (jpc_dec.c:592)
==109382== by 0x4F1C938: jpc_dec_decode (jpc_dec.c:424)
==109382== by 0x4F1C938: jpc_decode (jpc_dec.c:261)
==109382== by 0x4EF832A: jp2_decode (jp2_dec.c:218)
==109382== by 0x4EA95B3: jas_image_decode (jas_image.c:442)
==109382== by 0x401C34: main (jasper.c:236)
Bug-10: Assertion Failure (jasper_bug_10.jp2)
warning: ignoring unknown marker segment (0xff68)
type = 0xff68 (UNKNOWN); len = 37;00 01 43 72 65 61 74 10 64 20 62 79 20 00 10 65 6e 4a 50 45 47 20 5e 65 72 73 69 6f 6e 20 32 2e 33 2e 30 warning: not enough tile data (5 bytes)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
jasper: /home/ubuntu/aflsmart-experiments/jasper/src/libjasper/jpc/jpc_dec.c:1883: jpc_dequantize: Assertion `absstepsize >= 0' failed.
==135670==
==135670== Process terminating with default action of signal 6 (SIGABRT)
==135670== at 0x523D428: raise (raise.c:54)
==135670== by 0x523F029: abort (abort.c:89)
==135670== by 0x5235BD6: __assert_fail_base (assert.c:92)
==135670== by 0x5235C81: __assert_fail (assert.c:101)
==135670== by 0x4F12FBE: jpc_dequantize (jpc_dec.c:1883)
==135670== by 0x4F12FBE: jpc_dec_tiledecode (jpc_dec.c:1107)
==135670== by 0x4F22B34: jpc_dec_process_sod (jpc_dec.c:657)
==135670== by 0x4F1C938: jpc_dec_decode (jpc_dec.c:424)
==135670== by 0x4F1C938: jpc_decode (jpc_dec.c:261)
==135670== by 0x4EF832A: jp2_decode (jp2_dec.c:218)
==135670== by 0x4EA95B3: jas_image_decode (jas_image.c:442)
==135670== by 0x401C34: main (jasper.c:236)
Regards,
Thuan
jasper_bugs.zip
The text was updated successfully, but these errors were encountered: