Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.
A fuzzing revelaled a double-free in mem_close.
Since jasper seems to be dead for years, I first posted this bug on oss-security. Since few days I noticed that the development is alive on github, I posted the bug to the maintainer which comes with a fast response/fix.
The complete ASan output:
# imginfo -f $FILE
Corrupt JPEG data: 1 extraneous bytes before marker 0xc4
=================================================================
==31536==ERROR: AddressSanitizer: attempting double-free on 0x619000003780 in thread T0:
#0 0x4bfe10 in __interceptor_free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38
#1 0x7f15e7385450 in mem_close /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:1079:3
#2 0x7f15e737ffcb in jas_stream_close /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:466:2
#3 0x7f15e7353b71 in jas_image_cmpt_destroy /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:343:3
#4 0x7f15e7353b71 in jas_image_cmpt_create /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:333
#5 0x7f15e7356977 in jas_image_addcmpt /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:677:18
#6 0x7f15e741bd7c in jpg_mkimage /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:247:7
#7 0x7f15e741bd7c in jpg_decode /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:171
#8 0x7f15e7354c8a in jas_image_decode /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:372:16
#9 0x4f11bd in main /tmp/jasper-version-1.900.4/src/appl/imginfo.c:179:16
#10 0x7f15e646c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
#11 0x418bc8 in _start (/tmp/jasper-version-1.900.4/src/appl/.libs/imginfo+0x418bc8)
0x619000003780 is located 0 bytes inside of 1024-byte region [0x619000003780,0x619000003b80)
freed by thread T0 here:
#0 0x4c0498 in realloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:71
#1 0x7f15e7385048 in mem_resize /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:995:14
#2 0x7f15e7385048 in mem_write /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:1018
#3 0x7f15e73823a3 in jas_stream_flushbuf /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:819:7
#4 0x7f15e7383e04 in jas_stream_flush /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:749:9
#5 0x7f15e7383e04 in jas_stream_seek /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:656
#6 0x7f15e7353b4a in jas_image_cmpt_create /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:332:4
#7 0x7f15e7356977 in jas_image_addcmpt /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:677:18
#8 0x7f15e741bd7c in jpg_mkimage /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:247:7
#9 0x7f15e741bd7c in jpg_decode /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:171
#10 0x7f15e7354c8a in jas_image_decode /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:372:16
#11 0x4f11bd in main /tmp/jasper-version-1.900.4/src/appl/imginfo.c:179:16
#12 0x7f15e646c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
previously allocated by thread T0 here:
#0 0x4c0118 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52
#1 0x7f15e737fb4e in jas_stream_memopen /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:215:15
#2 0x7f15e735397e in jas_image_cmpt_create /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:322:28
#3 0x7f15e7356977 in jas_image_addcmpt /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:677:18
#4 0x7f15e741bd7c in jpg_mkimage /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:247:7
#5 0x7f15e741bd7c in jpg_decode /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:171
#6 0x7f15e7354c8a in jas_image_decode /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:372:16
#7 0x4f11bd in main /tmp/jasper-version-1.900.4/src/appl/imginfo.c:179:16
#8 0x7f15e646c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
SUMMARY: AddressSanitizer: double-free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38 in __interceptor_free
==31536==ABORTING
Affected version:
1.900.1, 1.900.3 and 1.900.4
Fixed version:
1.900.10
Commit fix:
https://github.com/mdadams/jasper/commit/44a524e367597af58d6265ae2014468b334d0309
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2016-8693
Timeline:
2016-08-15: bug discovered
2016-08-23: requested a feedback on oss-security
2016-10-13: bug reported to upstream
2016-10-16: blog post about the issue
2016-10-16: CVE Assigned
2016-10-20: upstream released a patch
Note:
This bug was found with American Fuzzy Lop.
Permalink: