Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.
The undefined behavior sanitizer shows a signed integer overflow in jas_image.c
As you can see, the commit which fixes the issue is not a fix itself for the signed integer overflow, but changed a bit how, in jasper, the things work.
The complete UBSan output:
# imginfo -f $FILE /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/base/jas_image.c:162:49: runtime error: signed integer overflow: 8543608947741818625 * 15 cannot be represented in type 'long'
Affected version:
1.900.17
Fixed version:
1.900.25
Commit fix:
https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2016-9557
Reproducer:
https://github.com/asarubbo/poc/blob/master/00020-jasper-signedintoverflow-jas_image_c
Timeline:
2016-10-29: bug discovered and reported to upstream
2016-11-12: upstream released a patch and 1.900.25
2016-11-19: blog post about the issue
2016-11-23: CVE assigned
Note:
This bug was found with American Fuzzy Lop.
Permalink: