New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory leaks in jpc_dec_decodepkts #193

Open
zerokeeper opened this Issue Dec 31, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@zerokeeper
Copy link

zerokeeper commented Dec 31, 2018

hi,jasper team,when i convert jp2 file,i found a memory leak bug reported by AddressSanitizer.
the version is 2.0.14.

jasper-jpc_dec_decodepkts-memory-leak.zip

./jasper --input jasper-jpc_dec_decodepkts-memory-leak --output /dev/null --output-format jp2

warning: trailing garbage in marker segment (14 bytes)
warning: trailing garbage in marker segment (2 bytes)
warning: trailing garbage in marker segment (14 bytes)
warning: trailing garbage in marker segment (14 bytes)
warning: trailing garbage in marker segment (14 bytes)
warning: trailing garbage in marker segment (14 bytes)
alignment failed
jpc_dec_decodepkts failed
error: cannot decode code stream
error: cannot load image data

=================================================================
==30640==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 256 byte(s) in 1 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f9eb (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c9eb)

Direct leak of 184 byte(s) in 1 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f663 (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c663)
#2 0x7f2b6de957c2 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xe27c2)

Direct leak of 48 byte(s) in 1 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f663 (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c663)

Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f663 (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c663)
#2 0x7f2b6de8b1b0 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xd81b0)
#3 0x7f2b6de957c2 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xe27c2)

Indirect leak of 88976 byte(s) in 89 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f663 (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c663)

Indirect leak of 26304 byte(s) in 148 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f9eb (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c9eb)
#2 0x7f2b6de957c2 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xe27c2)

Indirect leak of 9728 byte(s) in 158 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f9eb (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c9eb)

Indirect leak of 576 byte(s) in 24 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f9eb (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c9eb)
#2 0x7f2b6de882e5 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xd52e5)
#3 0x7f2b6de957c2 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xe27c2)

Indirect leak of 576 byte(s) in 24 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f663 (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c663)
#2 0x7f2b6de8834f (/root/fuzz/jasper/local/lib/libjasper.so.4+0xd534f)
#3 0x7f2b6de957c2 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xe27c2)

Indirect leak of 576 byte(s) in 24 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f663 (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c663)
#2 0x7f2b6de882e5 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xd52e5)
#3 0x7f2b6de957c2 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xe27c2)

Indirect leak of 576 byte(s) in 24 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f9eb (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c9eb)
#2 0x7f2b6de8834f (/root/fuzz/jasper/local/lib/libjasper.so.4+0xd534f)
#3 0x7f2b6de957c2 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xe27c2)

Indirect leak of 504 byte(s) in 9 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f663 (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c663)
#2 0x7f2b6de8b1b0 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xd81b0)
#3 0x7f2b6de957c2 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xe27c2)

Indirect leak of 64 byte(s) in 4 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6df3c528 (/root/fuzz/jasper/local/lib/libjasper.so.4+0x189528)
#2 0x7f2b6de957c2 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xe27c2)

Indirect leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x4b9798 (/root/fuzz/jasper/local/bin/jasper+0x4b9798)
#1 0x7f2b6de2f663 (/root/fuzz/jasper/local/lib/libjasper.so.4+0x7c663)
#2 0x7f2b6de957c2 (/root/fuzz/jasper/local/lib/libjasper.so.4+0xe27c2)

SUMMARY: AddressSanitizer: 128424 byte(s) leaked in 509 allocation(s).

@zerokeeper

This comment has been minimized.

Copy link

zerokeeper commented Dec 31, 2018

update,i rebuild with AddressSanitizer.this will show show symbolize on the stack traces.
this is gdb debug info

➜ bin git:(master) ✗ gdb -q ./jasper
Reading symbols from ./jasper...done.
(gdb) set args --input jasper-jpc_dec_decodepkts-memory-leak --output /dev/null --output-format jp2
(gdb) b jpc_tsfb.c:98
No source file named jpc_tsfb.c.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (jpc_tsfb.c:98) pending.
(gdb) r
Starting program: /root/jasper/local/bin/jasper --input jasper-jpc_dec_decodepkts-memory-leak --output /dev/null --output-format jp2
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
warning: trailing garbage in marker segment (14 bytes)
warning: trailing garbage in marker segment (2 bytes)
warning: trailing garbage in marker segment (14 bytes)
warning: trailing garbage in marker segment (14 bytes)
warning: trailing garbage in marker segment (14 bytes)
warning: trailing garbage in marker segment (14 bytes)

Breakpoint 1, jpc_cod_gettsfb (qmfbid=1, numlvls=23) at /root/jasper/src/libjasper/jpc/jpc_tsfb.c:98
98 if (!(tsfb = malloc(sizeof(jpc_tsfb_t))))
(gdb) c
Continuing.

Breakpoint 1, jpc_cod_gettsfb (qmfbid=1, numlvls=23) at /root/jasper/src/libjasper/jpc/jpc_tsfb.c:98
98 if (!(tsfb = malloc(sizeof(jpc_tsfb_t))))
(gdb) c
Continuing.

Breakpoint 1, jpc_cod_gettsfb (qmfbid=1, numlvls=23) at /root/jasper/src/libjasper/jpc/jpc_tsfb.c:98
98 if (!(tsfb = malloc(sizeof(jpc_tsfb_t))))
(gdb) c
Continuing.

Breakpoint 1, jpc_cod_gettsfb (qmfbid=1, numlvls=23) at /root/jasper/src/libjasper/jpc/jpc_tsfb.c:98
98 if (!(tsfb = malloc(sizeof(jpc_tsfb_t))))
(gdb) c
Continuing.
alignment failed
jpc_dec_decodepkts failed
error: cannot decode code stream
error: cannot load image data

=================================================================
==1982==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 8288 byte(s) in 1 object(s) allocated from:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x403e14 in cmdopts_parse /root/jasper/src/appl/jasper.c:355
#2 0x7fffffffe77e ()

Direct leak of 528 byte(s) in 4 object(s) allocated from:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7ffff6acb997 in jas_malloc /root/jasper/src/libjasper/base/jas_malloc.c:241

Direct leak of 104 byte(s) in 1 object(s) allocated from:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7ffff6acb997 in jas_malloc /root/jasper/src/libjasper/base/jas_malloc.c:241
#2 0x4074ff (/root/jasper/local/bin/jasper+0x4074ff)

Indirect leak of 142584 byte(s) in 481 object(s) allocated from:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7ffff6acb997 in jas_malloc /root/jasper/src/libjasper/base/jas_malloc.c:241

Indirect leak of 1728 byte(s) in 24 object(s) allocated from:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7ffff6acb997 in jas_malloc /root/jasper/src/libjasper/base/jas_malloc.c:241
#2 0x3 ()

Indirect leak of 104 byte(s) in 1 object(s) allocated from:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7ffff6acb997 in jas_malloc /root/jasper/src/libjasper/base/jas_malloc.c:241
#2 0x4074ff (/root/jasper/local/bin/jasper+0x4074ff)

Indirect leak of 64 byte(s) in 4 object(s) allocated from:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7ffff6c0d75b in jpc_cod_gettsfb /root/jasper/src/libjasper/jpc/jpc_tsfb.c:98

SUMMARY: AddressSanitizer: 153400 byte(s) leaked in 516 allocation(s).
[Inferior 1 (process 1982) exited with code 027]
(gdb)

leak in jpc_tsfb.c:98

jpc_tsfb_t *jpc_cod_gettsfb(int qmfbid, int numlvls)
{
jpc_tsfb_t *tsfb;

if (!(tsfb = malloc(sizeof(jpc_tsfb_t))))
	return 0;

if (numlvls > 0) {
	switch (qmfbid) {
	case JPC_COX_INS:
		tsfb->qmfb = &jpc_ns_qmfb2d;
		break;
	default:
	case JPC_COX_RFT:
		tsfb->qmfb = &jpc_ft_qmfb2d;
		break;
	}
} else {
	tsfb->qmfb = 0;
}
tsfb->numlvls = numlvls;
return tsfb;

}

@nluedtke

This comment has been minimized.

Copy link

nluedtke commented Jan 2, 2019

This was assigned CVE-2018-20622.

@apoleon

This comment has been minimized.

Copy link

apoleon commented Jan 3, 2019

After applying my patches I cannot reproduce this issue anymore. See
#182

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment