memory leaks in jpc_dec_decodepkts

[zerokeeper]

hi,jasper team,when i convert jp2 file,i found a memory leak bug reported by AddressSanitizer.
the version is 2.0.14.

jasper-jpc_dec_decodepkts-memory-leak.zip

./jasper --input jasper-jpc_dec_decodepkts-memory-leak --output /dev/null --output-format jp2

warning: trailing garbage in marker segment (14 bytes)
warning: trailing garbage in marker segment (2 bytes)
warning: trailing garbage in marker segment (14 bytes)
warning: trailing garbage in marker segment (14 bytes)
warning: trailing garbage in marker segment (14 bytes)
warning: trailing garbage in marker segment (14 bytes)
alignment failed
jpc_dec_decodepkts failed
error: cannot decode code stream
error: cannot load image data

=================================================================
==30640==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 256 byte(s) in 1 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f9eb (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c9eb)

Direct leak of 184 byte(s) in 1 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f663 (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c663)
#2 0x7f2b6de957c2 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xe27c2)

Direct leak of 48 byte(s) in 1 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f663 (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c663)

Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f663 (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c663)
#2 0x7f2b6de8b1b0 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xd81b0)
#3 0x7f2b6de957c2 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xe27c2)

Indirect leak of 88976 byte(s) in 89 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f663 (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c663)

Indirect leak of 26304 byte(s) in 148 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f9eb (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c9eb)
#2 0x7f2b6de957c2 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xe27c2)

Indirect leak of 9728 byte(s) in 158 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f9eb (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c9eb)

Indirect leak of 576 byte(s) in 24 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f9eb (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c9eb)
#2 0x7f2b6de882e5 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xd52e5)
#3 0x7f2b6de957c2 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xe27c2)

Indirect leak of 576 byte(s) in 24 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f663 (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c663)
#2 0x7f2b6de8834f (/root/fuzz/jasper/local/lib/libjasper.so.4+0xd534f)
#3 0x7f2b6de957c2 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xe27c2)

Indirect leak of 576 byte(s) in 24 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f663 (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c663)
#2 0x7f2b6de882e5 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xd52e5)
#3 0x7f2b6de957c2 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xe27c2)

Indirect leak of 576 byte(s) in 24 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f9eb (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c9eb)
#2 0x7f2b6de8834f (/root/fuzz/jasper/local/lib/libjasper.so.4+0xd534f)
#3 0x7f2b6de957c2 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xe27c2)

Indirect leak of 504 byte(s) in 9 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f663 (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c663)
#2 0x7f2b6de8b1b0 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xd81b0)
#3 0x7f2b6de957c2 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xe27c2)

Indirect leak of 64 byte(s) in 4 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6df3c528 (/root/fuzz/jasper/local/lib/libjasper.so.4+0x189528)
#2 0x7f2b6de957c2 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xe27c2)

Indirect leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f663 (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c663)
#2 0x7f2b6de957c2 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xe27c2)

SUMMARY: AddressSanitizer: 128424 byte(s) leaked in 509 allocation(s).

[zerokeeper]

update,i rebuild with AddressSanitizer.this will show show symbolize on the stack traces.
this is gdb debug info

➜ bin git:(master) ✗ gdb -q ./jasper
Reading symbols from ./jasper...done.
(gdb) set args --input jasper-jpc_dec_decodepkts-memory-leak --output /dev/null --output-format jp2
(gdb) b jpc_tsfb.c:98
No source file named jpc_tsfb.c.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (jpc_tsfb.c:98) pending.
(gdb) r
Starting program: /root/jasper/local/bin/jasper --input jasper-jpc_dec_decodepkts-memory-leak --output /dev/null --output-format jp2
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
warning: trailing garbage in marker segment (14 bytes)
warning: trailing garbage in marker segment (2 bytes)
warning: trailing garbage in marker segment (14 bytes)
warning: trailing garbage in marker segment (14 bytes)
warning: trailing garbage in marker segment (14 bytes)
warning: trailing garbage in marker segment (14 bytes)

Breakpoint 1, jpc_cod_gettsfb (qmfbid=1, numlvls=23) at /root/jasper/src/libjasper/jpc/jpc_tsfb.c:98
98 if (!(tsfb = malloc(sizeof(jpc_tsfb_t))))
(gdb) c
Continuing.

Breakpoint 1, jpc_cod_gettsfb (qmfbid=1, numlvls=23) at /root/jasper/src/libjasper/jpc/jpc_tsfb.c:98
98 if (!(tsfb = malloc(sizeof(jpc_tsfb_t))))
(gdb) c
Continuing.

Breakpoint 1, jpc_cod_gettsfb (qmfbid=1, numlvls=23) at /root/jasper/src/libjasper/jpc/jpc_tsfb.c:98
98 if (!(tsfb = malloc(sizeof(jpc_tsfb_t))))
(gdb) c
Continuing.

Breakpoint 1, jpc_cod_gettsfb (qmfbid=1, numlvls=23) at /root/jasper/src/libjasper/jpc/jpc_tsfb.c:98
98 if (!(tsfb = malloc(sizeof(jpc_tsfb_t))))
(gdb) c
Continuing.
alignment failed
jpc_dec_decodepkts failed
error: cannot decode code stream
error: cannot load image data

=================================================================
==1982==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 8288 byte(s) in 1 object(s) allocated from:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x403e14 in cmdopts_parse /root/jasper/src/appl/jasper.c:355
#2 0x7fffffffe77e ()

Direct leak of 528 byte(s) in 4 object(s) allocated from:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7ffff6acb997 in jas_malloc /root/jasper/src/libjasper/base/jas_malloc.c:241

Direct leak of 104 byte(s) in 1 object(s) allocated from:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7ffff6acb997 in jas_malloc /root/jasper/src/libjasper/base/jas_malloc.c:241
#2 0x4074ff (/root/jasper/local/bin/jasper+0x4074ff)

Indirect leak of 142584 byte(s) in 481 object(s) allocated from:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7ffff6acb997 in jas_malloc /root/jasper/src/libjasper/base/jas_malloc.c:241

Indirect leak of 1728 byte(s) in 24 object(s) allocated from:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7ffff6acb997 in jas_malloc /root/jasper/src/libjasper/base/jas_malloc.c:241
#2 0x3 ()

Indirect leak of 104 byte(s) in 1 object(s) allocated from:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7ffff6acb997 in jas_malloc /root/jasper/src/libjasper/base/jas_malloc.c:241
#2 0x4074ff (/root/jasper/local/bin/jasper+0x4074ff)

Indirect leak of 64 byte(s) in 4 object(s) allocated from:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7ffff6c0d75b in jpc_cod_gettsfb /root/jasper/src/libjasper/jpc/jpc_tsfb.c:98

SUMMARY: AddressSanitizer: 153400 byte(s) leaked in 516 allocation(s).
[Inferior 1 (process 1982) exited with code 027]
(gdb)

leak in jpc_tsfb.c:98

jpc_tsfb_t *jpc_cod_gettsfb(int qmfbid, int numlvls)
{
jpc_tsfb_t *tsfb;

if (!(tsfb = malloc(sizeof(jpc_tsfb_t))))
	return 0;

if (numlvls > 0) {
	switch (qmfbid) {
	case JPC_COX_INS:
		tsfb->qmfb = &jpc_ns_qmfb2d;
		break;
	default:
	case JPC_COX_RFT:
		tsfb->qmfb = &jpc_ft_qmfb2d;
		break;
	}
} else {
	tsfb->qmfb = 0;
}
tsfb->numlvls = numlvls;
return tsfb;

}

[nluedtke]

This was assigned CVE-2018-20622.

[apoleon]

After applying my patches I cannot reproduce this issue anymore. See
#182

[thoger]

AFAICS, the main problem here is the leak of tile data memory that is duplicate of #168 (and hence the CVE is duplicate of CVE-2017-13748). There is a proposed fix in #159 that resolves that problem.

Whoever got the CVE-2018-20622 assigned, can you get it rejected as dupe properly? Also the current description of the CVE is incorrect - there's no problem in jas_malloc.c, and the problem is not specific to converting image to the jp2 format. The leak occurs when decoding the source image, and can be reproduced with the imginfo utility as well.

[thoger]

After applying the patch from #159, I only see a minor 40 byte leak, that occurs in jpc_dec_decodepkt(). That function calls jpc_bitstream_sopen(), which calls jpc_bitstream_alloc(), which does jas_malloc(sizeof(jpc_bitstream_t)).

jpc_dec_decodepkt() continues by parsing input and returns when some error is detected without calling jpc_bitstream_close(). To fix that problem, any return in this part of code should be prefixed with the jpc_bitstream_close(inb) call.

https://github.com/mdadams/jasper/blob/version-2.0.16/src/libjasper/jpc/jpc_t2dec.c#L227-L338

[MaxKellermann]

Since this project has been mostly dead for several years, we created a fork which aims to fix all vulnerabilities (of which there are many).
This bug will be fixed by jasper-maint/jasper#38 (merge pending)