jasper: two divide-by-zero in jpc_dec_process_siz (jpc_dec.c)

Posted on October 16, 2016 by ago

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

A fuzzing revelaled two divide-by-zero in jpc_dec_process_siz

Since jasper seems to be dead for years, I first posted this bug on oss-security. Since few days I noticed that the development is alive on github, I posted the bug to the maintainer which comes with a fast response/fix.

The complete ASan output:

# imginfo -f $FILE
warning: trailing garbage in marker segment (2 bytes)
ASAN:DEADLYSIGNAL
=================================================================
==31103==ERROR: AddressSanitizer: FPE on unknown address 0x7f5b9237e7df (pc 0x7f5b9237e7df bp 0x7fff3818a0c0 sp 0x7fff38189fa0 T0)
    #0 0x7f5b9237e7de in jpc_dec_process_siz /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1194:17
    #1 0x7f5b923842b2 in jpc_dec_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:390:10
    #2 0x7f5b923842b2 in jpc_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:254
    #3 0x7f5b92327a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16
    #4 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16
    #5 0x7f5b9143f61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1194:17 in jpc_dec_process_siz
==31103==ABORTING


# imginfo -f $FILE
warning: trailing garbage in marker segment (5 bytes)
ASAN:DEADLYSIGNAL
=================================================================
==24077==ERROR: AddressSanitizer: FPE on unknown address 0x7f78c36f9822 (pc 0x7f78c36f9822 bp 0x7ffe2bff10c0 sp 0x7ffe2bff0fa0 T0)
    #0 0x7f78c36f9821 in jpc_dec_process_siz /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1196:18
    #1 0x7f78c36ff2b2 in jpc_dec_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:390:10
    #2 0x7f78c36ff2b2 in jpc_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:254
    #3 0x7f78c36a2a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16
    #4 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16
    #5 0x7f78c27ba61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1196:18 in jpc_dec_process_siz
==24077==ABORTING

Affected version:
1.900.1 and 1.900.3

Fixed version:
1.900.4

Commit fix:
https://github.com/mdadams/jasper/commit/d8c2604cd438c41ec72aff52c16ebd8183068020

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8691
CVE-2016-8692

Timeline:
2016-08-15: bug discovered
2016-08-23: requested a feedback on oss-security
2016-10-13: bug reported to upstream
2016-10-15: upstream released a patch
2016-10-15: upstream released 1.900.4
2016-10-16: blog post about the issue
2016-10-16: CVE Assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

jasper: two divide-by-zero in jpc_dec_process_siz (jpc_dec.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.