jasper: signed integer overflow in jas_image.c

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

The undefined behavior sanitizer shows a signed integer overflow in jas_image.c
As you can see, the commit which fixes the issue is not a fix itself for the signed integer overflow, but changed a bit how, in jasper, the things work.

The complete UBSan output:

# imginfo -f $FILE
/tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/base/jas_image.c:162:49: runtime error: signed integer overflow: 8543608947741818625 * 15 cannot be represented in type 'long'

Affected version:
1.900.17

Fixed version:
1.900.25

Commit fix:
https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-9557

Reproducer:
https://github.com/asarubbo/poc/blob/master/00020-jasper-signedintoverflow-jas_image_c

Timeline:
2016-10-29: bug discovered and reported to upstream
2016-11-12: upstream released a patch and 1.900.25
2016-11-19: blog post about the issue
2016-11-23: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

jasper: signed integer overflow in jas_image.c

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *