Heap overflow in jpc_getuint16() #29

Closed
hannob opened this Issue Oct 16, 2016 · 4 comments

Comments

Projects
None yet
3 participants
@hannob

hannob commented Oct 16, 2016

The attached file will cause a heap overflow in the function jpc_getunit16. It was found with american fuzzy lop.
jasper-heapoverflow-jpc_getuint16.zip

Here's a stack trace from address sanitizer:

==29479==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ecd8 at pc 0x0000005259c4 bp 0x7fffa3b06560 sp 0x7fffa3b06558
WRITE of size 8 at 0x60200000ecd8 thread T0
    #0 0x5259c3 in jpc_getuint16 /f/jasper/src/libjasper/jpc/jpc_cs.c:1572:8
    #1 0x53538d in jpc_crg_getparms /f/jasper/src/libjasper/jpc/jpc_cs.c:1365:5
    #2 0x524f00 in jpc_getms /f/jasper/src/libjasper/jpc/jpc_cs.c:280:7
    #3 0x548052 in jpc_dec_decode /f/jasper/src/libjasper/jpc/jpc_dec.c:372:14
    #4 0x548052 in jpc_decode /f/jasper/src/libjasper/jpc/jpc_dec.c:254
    #5 0x4f6032 in jas_image_decode /f/jasper/src/libjasper/base/jas_image.c:372:16
    #6 0x4f23cf in main /f/jasper/src/appl/imginfo.c:188:16
    #7 0x7fc62b7ba78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #8 0x4195d8 in _start (/r/jasper/imginfo+0x4195d8)

0x60200000ecd8 is located 0 bytes to the right of 8-byte region [0x60200000ecd0,0x60200000ecd8)
allocated by thread T0 here:
    #0 0x4c1208 in malloc (/r/jasper/imginfo+0x4c1208)
    #1 0x501a1f in jas_malloc /f/jasper/src/libjasper/base/jas_malloc.c:117:9
    #2 0x501a1f in jas_alloc2 /f/jasper/src/libjasper/base/jas_malloc.c:141

SUMMARY: AddressSanitizer: heap-buffer-overflow /f/jasper/src/libjasper/jpc/jpc_cs.c:1572:8 in jpc_getuint16
Shadow bytes around the buggy address:
  0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa 00[fa]fa fa 01 fa
  0x0c047fff9da0: fa fa 00 00 fa fa fd fa fa fa 00 fa fa fa fd fa
  0x0c047fff9db0: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff9dc0: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff9dd0: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff9de0: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29479==ABORTING
@mdadams

This comment has been minimized.

Show comment
Hide comment
@mdadams

mdadams Oct 20, 2016

Owner

I cannot reproduce this problem on GCC 6.1.0 with sanitizers enabled.

Owner

mdadams commented Oct 20, 2016

I cannot reproduce this problem on GCC 6.1.0 with sanitizers enabled.

@hannob

This comment has been minimized.

Show comment
Hide comment
@hannob

hannob Oct 20, 2016

I can't reproduce either with the latest git code, so I guess it has been fixed by one of the recent commits.

hannob commented Oct 20, 2016

I can't reproduce either with the latest git code, so I guess it has been fixed by one of the recent commits.

@hannob hannob closed this Oct 20, 2016

@mdadams

This comment has been minimized.

Show comment
Hide comment
@mdadams

mdadams Oct 20, 2016

Owner

Thank you for letting me know. I'll consider this bug fixed then.

Owner

mdadams commented Oct 20, 2016

Thank you for letting me know. I'll consider this bug fixed then.

@thoger

This comment has been minimized.

Show comment
Hide comment
@thoger

thoger Dec 15, 2016

Contributor

Fixed in 0d22460. CVE-2016-8881 is a dupe of CVE-2011-4517.

Contributor

thoger commented Dec 15, 2016

Fixed in 0d22460. CVE-2016-8881 is a dupe of CVE-2011-4517.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment