double free on jpeg parsing #31

Closed
hannob opened this Issue Oct 16, 2016 · 2 comments

Comments

Projects
None yet
3 participants
@hannob

hannob commented Oct 16, 2016

The attached file (when passed to imginfo) will cause a double free. Found with american fuzzy lop.
jasper-doublefree-mem_close.zip

Stack trace from asan:

==9522==ERROR: AddressSanitizer: attempting double-free on 0x619000003780 in thread T0:
    #0 0x4c0f00 in __interceptor_free (/r/jasper/imginfo+0x4c0f00)
    #1 0x51050d in mem_close /f/jasper/src/libjasper/base/jas_stream.c:1079:3
    #2 0x507757 in jas_stream_close /f/jasper/src/libjasper/base/jas_stream.c:466:2
    #3 0x4f47e8 in jas_image_cmpt_destroy /f/jasper/src/libjasper/base/jas_image.c:343:3
    #4 0x4f47e8 in jas_image_cmpt_create /f/jasper/src/libjasper/base/jas_image.c:333
    #5 0x4f93d8 in jas_image_addcmpt /f/jasper/src/libjasper/base/jas_image.c:677:18
    #6 0x5b4a42 in jpg_mkimage /f/jasper/src/libjasper/jpg/jpg_dec.c:247:7
    #7 0x5b4a42 in jpg_decode /f/jasper/src/libjasper/jpg/jpg_dec.c:171
    #8 0x4f6032 in jas_image_decode /f/jasper/src/libjasper/base/jas_image.c:372:16
    #9 0x4f23cf in main /f/jasper/src/appl/imginfo.c:188:16
    #10 0x7f8cf356978f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #11 0x4195d8 in _start (/r/jasper/imginfo+0x4195d8)

0x619000003780 is located 0 bytes inside of 1024-byte region [0x619000003780,0x619000003b80)
freed by thread T0 here:
    #0 0x4c1588 in realloc (/r/jasper/imginfo+0x4c1588)
    #1 0x501bc2 in jas_realloc2 /f/jasper/src/libjasper/base/jas_malloc.c:160:9

previously allocated by thread T0 here:
    #0 0x4c1208 in malloc (/r/jasper/imginfo+0x4c1208)
    #1 0x50715d in jas_stream_memopen /f/jasper/src/libjasper/base/jas_stream.c:215:15

SUMMARY: AddressSanitizer: double-free (/r/jasper/imginfo+0x4c0f00) in __interceptor_free
==9522==ABORTING
@asarubbo

This comment has been minimized.

Show comment
Hide comment
@asarubbo

asarubbo Oct 17, 2016

duplicate of #25

duplicate of #25

@mdadams

This comment has been minimized.

Show comment
Hide comment
@mdadams

mdadams Oct 20, 2016

Owner

Since this bug report is a duplicate of #25 and #25 has been fixed, I am marking this closed.

Owner

mdadams commented Oct 20, 2016

Since this bug report is a duplicate of #25 and #25 has been fixed, I am marking this closed.

@mdadams mdadams closed this Oct 20, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment