Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap overflow in jpc_dec_cp_setfromcox() #28

Closed
hannob opened this issue Oct 16, 2016 · 4 comments
Closed

Heap overflow in jpc_dec_cp_setfromcox() #28

hannob opened this issue Oct 16, 2016 · 4 comments

Comments

@hannob
Copy link

@hannob hannob commented Oct 16, 2016

The attached malformed jpeg2000 file triggers a one byte heap overflow in jasper. It was found with american fuzzy lop.
jasper-heapoverflow-jpc_dec_cp_setfromcox.zip

Here's a stack trace from address sanitizer:

==28545==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x618000010000 at pc 0x000000542b0f bp 0x7ffd396e7890 sp 0x7ffd396e7888
WRITE of size 1 at 0x618000010000 thread T0
    #0 0x542b0e in jpc_dec_cp_setfromcox /f/jasper/src/libjasper/jpc/jpc_dec.c:1668:32
    #1 0x542b0e in jpc_dec_cp_setfromcod /f/jasper/src/libjasper/jpc/jpc_dec.c:1636
    #2 0x542b0e in jpc_dec_process_cod /f/jasper/src/libjasper/jpc/jpc_dec.c:1263
    #3 0x547fb4 in jpc_dec_decode /f/jasper/src/libjasper/jpc/jpc_dec.c:390:10
    #4 0x547fb4 in jpc_decode /f/jasper/src/libjasper/jpc/jpc_dec.c:254
    #5 0x4f6032 in jas_image_decode /f/jasper/src/libjasper/base/jas_image.c:372:16
    #6 0x4f23cf in main /f/jasper/src/appl/imginfo.c:188:16
    #7 0x7fea0e13378f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #8 0x4195d8 in _start (/r/jasper/imginfo+0x4195d8)

0x618000010000 is located 0 bytes to the right of 896-byte region [0x61800000fc80,0x618000010000)
allocated by thread T0 here:
    #0 0x4c1208 in malloc (/r/jasper/imginfo+0x4c1208)
    #1 0x501a1f in jas_malloc /f/jasper/src/libjasper/base/jas_malloc.c:117:9
    #2 0x501a1f in jas_alloc2 /f/jasper/src/libjasper/base/jas_malloc.c:141

SUMMARY: AddressSanitizer: heap-buffer-overflow /f/jasper/src/libjasper/jpc/jpc_dec.c:1668:32 in jpc_dec_cp_setfromcox
Shadow bytes around the buggy address:
  0x0c307fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff9fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff9ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c307fffa000:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28545==ABORTING
@mdadams
Copy link
Owner

@mdadams mdadams commented Oct 20, 2016

I cannot reproduce this problem.
When I run "src/appl/imginfo < jasper-heapoverflow-jpc_dec_cp_setfromcox.jp2", I get:
cannot get marker segment
cannot load image
(exit status 1)
Can you please check if you can still reproduce the problem with jasper-1.900.8 (or the current master branch)? There have been a number of bug fixes made recently to the JPEG2000 codec and one or more of them may have fixed your bug. For now, I am marking this closed. Let me know if I need to reopen.

@mdadams mdadams closed this Oct 20, 2016
@mdadams
Copy link
Owner

@mdadams mdadams commented Oct 20, 2016

Perhaps, I should add that in version 1.900.3, the above test file does toast imginfo on my machine. So, as best I can tell, I have fixed the problem.

@thoger
Copy link
Contributor

@thoger thoger commented Dec 14, 2016

Fixed in 0d22460, so CVE-2016-8880 is a dupe of CVE-2011-4516.

@mdadams
Copy link
Owner

@mdadams mdadams commented Dec 15, 2016

@thoger Thanks for the confirmation that the bug is definitely fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.