jasper: two NULL pointer dereference in bmp_getdata (bmp_dec.c)

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

A fuzzing revelaled two NULL pointer access in bmp_getdata.

Since jasper seems to be dead for years, I first posted this bug on oss-security. Since few days I noticed that the development is alive on github, I posted the bug to the maintainer which comes with a fast response/fix.

The complete ASan output:

# imginfo -f $FILE
==26929==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8fc7fd53b5 bp 0x7ffcdf755110 sp 0x7ffcdf754de0 T0)                              
    #0 0x7f8fc7fd53b4 in bmp_getdata /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:385:5                                                               
    #1 0x7f8fc7fd53b4 in bmp_decode /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:190                                                                  
    #2 0x7f8fc7fa1a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16                                                      
    #3 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16                                                                                    
    #4 0x7f8fc70b961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                          
    #5 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)                                                                          

AddressSanitizer can not provide additional info.                                                                                                                
SUMMARY: AddressSanitizer: SEGV /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:385:5 in bmp_getdata                                                     
==26929==ABORTING


# imginfo -f $FILE
==15555==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f02a9c081ee bp 0x7ffd1e22e110 sp 0x7ffd1e22dde0 T0)
    #0 0x7f02a9c081ed in bmp_getdata /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:383:5
    #1 0x7f02a9c081ed in bmp_decode /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:190
    #2 0x7f02a9bd4a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16
    #3 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16
    #4 0x7f02a8cec61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #5 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:383:5 in bmp_getdata
==15555==ABORTING

Affected version:
1.900.1, 1.900.3 and 1.900.4

Fixed version:
1.900.5

Commit fix:
https://github.com/mdadams/jasper/commit/8f62b4761711d036fd8964df256b938c809b7fca

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8690

Timeline:
2016-08-15: bug discovered
2016-08-23: requested a feedback on oss-security
2016-10-13: bug reported to upstream
2016-10-16: upstream released a patch
2016-10-16: blog post about the issue
2016-10-16: CVE Assigned
2016-10-16: upstream released 1.900.5

Note:
This bug was found with American Fuzzy Lop.

Permalink:

jasper: two NULL pointer dereference in bmp_getdata (bmp_dec.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.