[Bug 1653649] Re: security bug in jasper
Seth Arnold
1653649 at bugs.launchpad.net
Wed Jan 11 00:46:57 UTC 2017
** Information type changed from Private Security to Public Security
** Changed in: jasper (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to jasper in Ubuntu.
https://bugs.launchpad.net/bugs/1653649
Title:
security bug in jasper
Status in jasper package in Ubuntu:
Confirmed
Bug description:
1) Invalid pointer access Bug in jas_matrix_asl
mov rax, [rbp+var_10]
mov rax, [rax] // invalid memory access
https://github.com/mdadams/jasper/blob/master/src/libjasper/base/jas_seq.c#L354
Here pointer 'data' is corrupted and while trying to access it's value application crashes.
while ( v4 > 0 )
{
v5 = *(_QWORD *)(a1 + 48);
v7 = v6;
while ( v5 > 0 )
{
*v7 = jas_fast32_asl(*v7, a2); // here pointer v7 is not validated
--v5;
++v7;
}
2) Invalid pointer access Bug in jpc_undo_roi
Invalid memory access bug in line jpc_dec.c
(https://github.com/mdadams/jasper/blob/master/src/libjasper/jpc/jpc_dec.c#L1925).
Here the base address of the matrix is passed to the function
jpc_undo_roi() which can be controlled by corrupting the bit stream.
An attacker can craft a jp2 image with malicious content to trigger an
arbitrary memory read. This can be used along with other
vulnerabilities to leak information.
for ( i = 0; (signed __int64)i < *(_QWORD *)(a1 + 40); ++i )
{
for ( j = 0; (signed __int64)j < *(_QWORD *)(a1 + 48); ++j )
{
v15 = *(_QWORD *)(8LL * j + *(_QWORD *)(8LL * i + *(_QWORD *)(a1 + 56))); // crashing here
v12 = (v15 ^ (v15 >> 63)) - (v15 >> 63);
if ( 1 << v8 > v12 )
All these 2 bugs were found while extensive file format fuzzing and
research done on the libjasper library.
From the quick checking I found that the address of access can be
controlled by crafting jp2 image bit stream. Crash samples attached.
Please issue CVEs and fix these issues at the earliest.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jasper/+bug/1653649/+subscriptions
More information about the foundations-bugs
mailing list