Heap overflow in jpc_dec_cp_setfromcox() #28

Closed
hannob opened this Issue Oct 16, 2016 · 4 comments

Comments

Projects
None yet
3 participants
@hannob

hannob commented Oct 16, 2016

The attached malformed jpeg2000 file triggers a one byte heap overflow in jasper. It was found with american fuzzy lop.
jasper-heapoverflow-jpc_dec_cp_setfromcox.zip

Here's a stack trace from address sanitizer:

==28545==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x618000010000 at pc 0x000000542b0f bp 0x7ffd396e7890 sp 0x7ffd396e7888
WRITE of size 1 at 0x618000010000 thread T0
    #0 0x542b0e in jpc_dec_cp_setfromcox /f/jasper/src/libjasper/jpc/jpc_dec.c:1668:32
    #1 0x542b0e in jpc_dec_cp_setfromcod /f/jasper/src/libjasper/jpc/jpc_dec.c:1636
    #2 0x542b0e in jpc_dec_process_cod /f/jasper/src/libjasper/jpc/jpc_dec.c:1263
    #3 0x547fb4 in jpc_dec_decode /f/jasper/src/libjasper/jpc/jpc_dec.c:390:10
    #4 0x547fb4 in jpc_decode /f/jasper/src/libjasper/jpc/jpc_dec.c:254
    #5 0x4f6032 in jas_image_decode /f/jasper/src/libjasper/base/jas_image.c:372:16
    #6 0x4f23cf in main /f/jasper/src/appl/imginfo.c:188:16
    #7 0x7fea0e13378f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #8 0x4195d8 in _start (/r/jasper/imginfo+0x4195d8)

0x618000010000 is located 0 bytes to the right of 896-byte region [0x61800000fc80,0x618000010000)
allocated by thread T0 here:
    #0 0x4c1208 in malloc (/r/jasper/imginfo+0x4c1208)
    #1 0x501a1f in jas_malloc /f/jasper/src/libjasper/base/jas_malloc.c:117:9
    #2 0x501a1f in jas_alloc2 /f/jasper/src/libjasper/base/jas_malloc.c:141

SUMMARY: AddressSanitizer: heap-buffer-overflow /f/jasper/src/libjasper/jpc/jpc_dec.c:1668:32 in jpc_dec_cp_setfromcox
Shadow bytes around the buggy address:
  0x0c307fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff9fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff9ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c307fffa000:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28545==ABORTING
@mdadams

This comment has been minimized.

Show comment
Hide comment
@mdadams

mdadams Oct 20, 2016

Owner

I cannot reproduce this problem.
When I run "src/appl/imginfo < jasper-heapoverflow-jpc_dec_cp_setfromcox.jp2", I get:
cannot get marker segment
cannot load image
(exit status 1)
Can you please check if you can still reproduce the problem with jasper-1.900.8 (or the current master branch)? There have been a number of bug fixes made recently to the JPEG2000 codec and one or more of them may have fixed your bug. For now, I am marking this closed. Let me know if I need to reopen.

Owner

mdadams commented Oct 20, 2016

I cannot reproduce this problem.
When I run "src/appl/imginfo < jasper-heapoverflow-jpc_dec_cp_setfromcox.jp2", I get:
cannot get marker segment
cannot load image
(exit status 1)
Can you please check if you can still reproduce the problem with jasper-1.900.8 (or the current master branch)? There have been a number of bug fixes made recently to the JPEG2000 codec and one or more of them may have fixed your bug. For now, I am marking this closed. Let me know if I need to reopen.

@mdadams mdadams closed this Oct 20, 2016

@mdadams

This comment has been minimized.

Show comment
Hide comment
@mdadams

mdadams Oct 20, 2016

Owner

Perhaps, I should add that in version 1.900.3, the above test file does toast imginfo on my machine. So, as best I can tell, I have fixed the problem.

Owner

mdadams commented Oct 20, 2016

Perhaps, I should add that in version 1.900.3, the above test file does toast imginfo on my machine. So, as best I can tell, I have fixed the problem.

@thoger

This comment has been minimized.

Show comment
Hide comment
@thoger

thoger Dec 14, 2016

Contributor

Fixed in 0d22460, so CVE-2016-8880 is a dupe of CVE-2011-4516.

Contributor

thoger commented Dec 14, 2016

Fixed in 0d22460, so CVE-2016-8880 is a dupe of CVE-2011-4516.

@mdadams

This comment has been minimized.

Show comment
Hide comment
@mdadams

mdadams Dec 15, 2016

Owner

@thoger Thanks for the confirmation that the bug is definitely fixed.

Owner

mdadams commented Dec 15, 2016

@thoger Thanks for the confirmation that the bug is definitely fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment