New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NULL pointer dereference was discovered #184

Open
YourButterfly opened this Issue Oct 31, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@YourButterfly

YourButterfly commented Oct 31, 2018

An issue was discovered in Jasper 2.0.14. There is a NULL pointer dereference at function ras_putdatastd

In file: /home/pwd/fuzz/fuzz-jasper/jenkins/jasper/src/libjasper/ras/ras_enc.c
   259 		nz = 0;
   260 		for (x = 0; x < hdr->width; x++) {
   261 			z <<= hdr->depth;
   262 			if (RAS_ISRGB(hdr)) {
   263 				v = RAS_RED((jas_matrix_getv(data[0], x))) |
 ► 264 				  RAS_GREEN((jas_matrix_getv(data[1], x))) |
   265 				  RAS_BLUE((jas_matrix_getv(data[2], x)));
   266 			} else {
   267 				v = (jas_matrix_getv(data[0], x));
   268 			}
   269 			z |= v & RAS_ONES(hdr->depth);

// Program received signal SIGSEGV (fault address 0x28)
// pwndbg> p data[1]
// $16 = (jas_matrix_t *) 0x0
// pwndbg> p data
// $17 = {0x6080000081a0, 0x0, 0x0}

At the site of data define , the value of "numcmpts" is 1

	for (i = 0; i < numcmpts; ++i) {
		if (!(data[i] = jas_matrix_create(jas_image_height(image),
		  jas_image_width(image)))) {
			goto error;
		}
	}

command line

./jasper  --input-format jpc --output /dev/null --output-format ras --input poc

poc.zip

@carnil

This comment has been minimized.

carnil commented Oct 31, 2018

CVE-2018-18873 was assigned for this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment