Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

Another round of fuzzing on an updated version (1.900.5) revealed another NULL pointer access

The complete ASan output:

# imginfo -f $FILE
warning: trailing garbage in marker segment (14 bytes)
warning: not enough tile data (15 bytes)
warning: bad segmentation symbol
warning: bad segmentation symbol
ASAN:DEADLYSIGNAL
=================================================================
==7144==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6d3c37d0b0 bp 0x7ffdc7407a90 sp 0x7ffdc7407a30 T0)
    #0 0x7f6d3c37d0af in jpc_tsfb_synthesize /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_tsfb.c:152:4
    #1 0x7f6d3c2f5140 in jpc_dec_tiledecode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_dec.c:1068:3
    #2 0x7f6d3c2e5c40 in jpc_dec_process_sod /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_dec.c:623:7
    #3 0x7f6d3c2ef294 in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_dec.c:390:10
    #4 0x7f6d3c2ef294 in jpc_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_dec.c:254
    #5 0x7f6d3c2bd061 in jp2_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_dec.c:215:21
    #6 0x7f6d3c24df39 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_image.c:380:16
    #7 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/appl/imginfo.c:188:16
    #8 0x7f6d3b35c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                        
    #9 0x418e68 in _init (/usr/bin/imginfo+0x418e68)                                                                                                                                                                                                                           

AddressSanitizer can not provide additional info.                                                                                                                                                                                                                              
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_tsfb.c:152:4 in jpc_tsfb_synthesize                                                                                                                           
==7144==ABORTING

Affected version:
1.900.5

Fixed version:
1.900.9

Commit fix:
https://github.com/mdadams/jasper/commit/2e82fa00466ae525339754bb3ab0a0474a31d4bd

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-10248

Timeline:
2016-10-19: bug discovered
2016-10-19: bug reported to upstream
2016-10-20: upstream released the patch and 1.900.9
2016-10-20: blog post about the issue
2017-03-12: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

jasper: NULL pointer dereference in jpc_tsfb_synthesize (jpc_tsfb.c)

Description:
imagemagick is a software suite to create, edit, compose, or convert bitmap images.

Another round of fuzzing pointed out that the memory allocation failure I discovered is still reproducible in the 7.0.3.4 version.
As usual, the upstream security policy are enabled.

The interesting part of the ASan stacktrace(not full because is a copy past of the one in the previous post):

# identify $FILE
   #9 0x7f467fd11c67 in AcquireMagickMemory /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/memory.c:460:10
    #10 0x7f467fd11c67 in AcquireQuantumMemory /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/memory.c:533
    #11 0x7f4673379018 in ReadRLEImage /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/coders/rle.c:267:36
    #12 0x7f467faeca85 in ReadImage /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/constitute.c:496:13
    #13 0x7f467fff4def in ReadStream /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/stream.c:1012:9
    #14 0x7f467faeb69d in PingImage /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/constitute.c:226:9
    #15 0x7f467faebeae in PingImages /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/constitute.c:326:10
    #16 0x7f467f40f4da in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickWand/identify.c:319:18
    #17 0x7f467f48a844 in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickWand/mogrify.c:183:14
    #18 0x4f1fae in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/utilities/magick.c:145:10
    #19 0x4f1fae in main /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/utilities/magick.c:176
    #20 0x7f467e35d61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #21 0x4192a8 in _init (/usr/bin/magick+0x4192a8)

Affected version:
7.0.3.4

Fixed version:
7.0.3.8

Commit fix:
https://github.com/ImageMagick/ImageMagick/commit/ab2c9d6a8dd6d71b161ec9cc57a588b116b52322

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8866

Timeline:
2016-10-13: bug re-discovered
2016-10-13: bug re-reported to upstream
2016-10-20: blog post about the issue
2016-10-21: CVE assigned
2016-11-21: upstream released a patch
2016-11-25: upstream released 7.0.3.8

Note:
This bug was found with American Fuzzy Lop.

Permalink:

imagemagick: memory allocation failure in AcquireMagickMemory (memory.c) (incomplete fix for CVE-2016-8862)

Description:
libwmf is a library for reading vector images in Microsøft’s native Windøws Metafile Format (WMF) and for either (a) displaying them in, e.g., an X window; or (b) converting them to more standard/open file formats such as, e.g., the W3C’s XML-based Scaleable Vector Graphic (SVG) format.

A fuzzing through imagemagick revealed a memory allocation failure. It was first reported to imagemagick developers(to double-check) which stated that the issue is in libwmf.
Since the libwmf project is dead the issue has not been reported elsewhere.

The complete ASan output:

# identify $FILE
==25497==ERROR: AddressSanitizer failed to allocate 0xfe769000 (4269182976) bytes of LargeMmapAllocator (error code: 12)                                                                                                                                                       
==25497==Process memory map follows:                                                                                                                                                                                                                                           
        0x000000400000-0x000000520000   /usr/bin/magick                                                                                                                                                                                                                        
        0x000000720000-0x000000721000   /usr/bin/magick                                                                                                                                                                                                                        
        0x000000721000-0x000000724000   /usr/bin/magick                                                                                                                                                                                                                        
        0x000000724000-0x000001397000                                                                                                                                                                                                                                          
        0x00007fff7000-0x00008fff7000                                                                                                                                                                                                                                          
        0x00008fff7000-0x02008fff7000                                                                                                                                                                                                                                          
        0x02008fff7000-0x10007fff8000                                                                                                                                                                                                                                          
        0x600000000000-0x602000000000                                                                                                                                                                                                                                          
        0x602000000000-0x602000010000                                                                                                                                                                                                                                          
        0x602000010000-0x603000000000                                                                                                                                                                                                                                          
        0x603000000000-0x603000010000                                                                                                                                                                                                                                          
        0x603000010000-0x604000000000                                                                                                                                                                                                                                          
        0x604000000000-0x604000010000                                                                                                                                                                                                                                          
        0x604000010000-0x606000000000                                                                                                                                                                                                                                          
        0x606000000000-0x606000010000                                                                                                                                                                                                                                          
        0x606000010000-0x607000000000
        0x607000000000-0x607000010000
        0x607000010000-0x608000000000
        0x608000000000-0x608000010000
        0x608000010000-0x60a000000000
        0x60a000000000-0x60a000020000
        0x60a000020000-0x60b000000000
        0x60b000000000-0x60b000010000
        0x60b000010000-0x60c000000000
        0x60c000000000-0x60c000010000
        0x60c000010000-0x60d000000000
        0x60d000000000-0x60d000010000
        0x60d000010000-0x60e000000000
        0x60e000000000-0x60e000010000
        0x60e000010000-0x60f000000000
        0x60f000000000-0x60f000010000
        0x60f000010000-0x610000000000
        0x610000000000-0x610000010000
        0x610000010000-0x611000000000
        0x611000000000-0x611000010000
        0x611000010000-0x612000000000
        0x612000000000-0x612000010000
        0x612000010000-0x614000000000
        0x614000000000-0x614000020000
        0x614000020000-0x615000000000
        0x615000000000-0x615000020000
        0x615000020000-0x616000000000
        0x616000000000-0x616000020000
        0x616000020000-0x618000000000
        0x618000000000-0x618000020000
        0x618000020000-0x619000000000
        0x619000000000-0x619000020000
        0x619000020000-0x61a000000000
        0x61a000000000-0x61a000020000
        0x61a000020000-0x61b000000000
        0x61b000000000-0x61b000020000
        0x61b000020000-0x61d000000000
        0x61d000000000-0x61d000020000
        0x61d000020000-0x621000000000
        0x621000000000-0x621000020000
        0x621000020000-0x622000000000
        0x622000000000-0x622000020000
        0x622000020000-0x623000000000
        0x623000000000-0x623000020000
        0x623000020000-0x624000000000
        0x624000000000-0x624000020000
        0x624000020000-0x625000000000
        0x625000000000-0x625000020000
        0x625000020000-0x627000000000
        0x627000000000-0x627000030000
        0x627000030000-0x629000000000
        0x629000000000-0x629000010000
        0x629000010000-0x640000000000
        0x640000000000-0x640000003000
        0x7f7173b49000-0x7f7173b65000   /usr/lib64/libwmflite-0.2.so.7.0.1
        0x7f7173b65000-0x7f7173d64000   /usr/lib64/libwmflite-0.2.so.7.0.1
        0x7f7173d64000-0x7f7173d65000   /usr/lib64/libwmflite-0.2.so.7.0.1
        0x7f7173d65000-0x7f7173d66000   /usr/lib64/libwmflite-0.2.so.7.0.1
        0x7f7173d66000-0x7f7173d8c000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/wmf.so
        0x7f7173d8c000-0x7f7173f8b000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/wmf.so
        0x7f7173f8b000-0x7f7173f8c000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/wmf.so
        0x7f7173f8c000-0x7f7173f8e000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/wmf.so
        0x7f7173f8e000-0x7f717a600000   /usr/lib64/locale/locale-archive
        0x7f717a600000-0x7f717a700000
        0x7f717a800000-0x7f717a900000
        0x7f717a946000-0x7f717cc98000
        0x7f717cc98000-0x7f717ccbf000   /usr/lib64/libexpat.so.1.6.0
        0x7f717ccbf000-0x7f717cebe000   /usr/lib64/libexpat.so.1.6.0
        0x7f717cebe000-0x7f717cec1000   /usr/lib64/libexpat.so.1.6.0
        0x7f717cec1000-0x7f717cec2000   /usr/lib64/libexpat.so.1.6.0
        0x7f717cec2000-0x7f717cff7000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7f717cff7000-0x7f717d1f7000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7f717d1f7000-0x7f717d1f8000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7f717d1f8000-0x7f717d1f9000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7f717d1f9000-0x7f717d1fa000
        0x7f717d1fa000-0x7f717d203000   /usr/lib64/libltdl.so.7.3.1
        0x7f717d203000-0x7f717d402000   /usr/lib64/libltdl.so.7.3.1
        0x7f717d402000-0x7f717d403000   /usr/lib64/libltdl.so.7.3.1
        0x7f717d403000-0x7f717d404000   /usr/lib64/libltdl.so.7.3.1
        0x7f717d404000-0x7f717d419000   /lib64/libz.so.1.2.8
        0x7f717d419000-0x7f717d618000   /lib64/libz.so.1.2.8
        0x7f717d618000-0x7f717d619000   /lib64/libz.so.1.2.8
        0x7f717d619000-0x7f717d61a000   /lib64/libz.so.1.2.8
        0x7f717d61a000-0x7f717d629000   /lib64/libbz2.so.1.0.6
        0x7f717d629000-0x7f717d828000   /lib64/libbz2.so.1.0.6
        0x7f717d828000-0x7f717d829000   /lib64/libbz2.so.1.0.6
        0x7f717d829000-0x7f717d82a000   /lib64/libbz2.so.1.0.6
        0x7f717d82a000-0x7f717d8d1000   /usr/lib64/libfreetype.so.6.12.3
        0x7f717d8d1000-0x7f717dad1000   /usr/lib64/libfreetype.so.6.12.3
        0x7f717dad1000-0x7f717dad7000   /usr/lib64/libfreetype.so.6.12.3
        0x7f717dad7000-0x7f717dad8000   /usr/lib64/libfreetype.so.6.12.3
        0x7f717dad8000-0x7f717db13000   /usr/lib64/libfontconfig.so.1.8.0
        0x7f717db13000-0x7f717dd12000   /usr/lib64/libfontconfig.so.1.8.0
        0x7f717dd12000-0x7f717dd14000   /usr/lib64/libfontconfig.so.1.8.0
        0x7f717dd14000-0x7f717dd15000   /usr/lib64/libfontconfig.so.1.8.0
        0x7f717dd15000-0x7f717df0a000   /usr/lib64/libfftw3.so.3.4.4
        0x7f717df0a000-0x7f717e109000   /usr/lib64/libfftw3.so.3.4.4
        0x7f717e109000-0x7f717e11d000   /usr/lib64/libfftw3.so.3.4.4
        0x7f717e11d000-0x7f717e11e000   /usr/lib64/libfftw3.so.3.4.4
        0x7f717e11e000-0x7f717e12c000   /usr/lib64/liblqr-1.so.0.3.2
        0x7f717e12c000-0x7f717e32b000   /usr/lib64/liblqr-1.so.0.3.2
        0x7f717e32b000-0x7f717e32c000   /usr/lib64/liblqr-1.so.0.3.2
        0x7f717e32c000-0x7f717e32d000   /usr/lib64/liblqr-1.so.0.3.2
        0x7f717e32d000-0x7f717e380000   /usr/lib64/liblcms2.so.2.0.6
        0x7f717e380000-0x7f717e580000   /usr/lib64/liblcms2.so.2.0.6
        0x7f717e580000-0x7f717e581000   /usr/lib64/liblcms2.so.2.0.6
        0x7f717e581000-0x7f717e586000   /usr/lib64/liblcms2.so.2.0.6
        0x7f717e586000-0x7f717e719000   /lib64/libc-2.22.so
        0x7f717e719000-0x7f717e919000   /lib64/libc-2.22.so
        0x7f717e919000-0x7f717e91d000   /lib64/libc-2.22.so
        0x7f717e91d000-0x7f717e91f000   /lib64/libc-2.22.so
        0x7f717e91f000-0x7f717e923000
        0x7f717e923000-0x7f717e939000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7f717e939000-0x7f717eb38000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7f717eb38000-0x7f717eb39000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7f717eb39000-0x7f717eb3a000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7f717eb3a000-0x7f717eb40000   /lib64/librt-2.22.so
        0x7f717eb40000-0x7f717ed40000   /lib64/librt-2.22.so
        0x7f717ed40000-0x7f717ed41000   /lib64/librt-2.22.so
        0x7f717ed41000-0x7f717ed42000   /lib64/librt-2.22.so
        0x7f717ed42000-0x7f717ed59000   /lib64/libpthread-2.22.so
        0x7f717ed59000-0x7f717ef58000   /lib64/libpthread-2.22.so
        0x7f717ef58000-0x7f717ef59000   /lib64/libpthread-2.22.so
        0x7f717ef59000-0x7f717ef5a000   /lib64/libpthread-2.22.so
        0x7f717ef5a000-0x7f717ef5e000
        0x7f717ef5e000-0x7f717f05b000   /lib64/libm-2.22.so
        0x7f717f05b000-0x7f717f25a000   /lib64/libm-2.22.so
        0x7f717f25a000-0x7f717f25b000   /lib64/libm-2.22.so
        0x7f717f25b000-0x7f717f25c000   /lib64/libm-2.22.so
        0x7f717f25c000-0x7f717f25e000   /lib64/libdl-2.22.so
        0x7f717f25e000-0x7f717f45e000   /lib64/libdl-2.22.so
        0x7f717f45e000-0x7f717f45f000   /lib64/libdl-2.22.so
        0x7f717f45f000-0x7f717f460000   /lib64/libdl-2.22.so
        0x7f717f460000-0x7f717f926000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7f717f926000-0x7f717fb25000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7f717fb25000-0x7f717fb3a000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7f717fb3a000-0x7f717fb7c000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7f717fb7c000-0x7f718070f000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7f718070f000-0x7f718090e000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7f718090e000-0x7f7180947000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7f7180947000-0x7f71809b9000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7f71809b9000-0x7f71809bc000
        0x7f71809bc000-0x7f71809de000   /lib64/ld-2.22.so
        0x7f7180a36000-0x7f7180b04000
        0x7f7180b04000-0x7f7180b27000   /usr/share/locale/it/LC_MESSAGES/libc.mo
        0x7f7180b27000-0x7f7180bd0000
        0x7f7180bd0000-0x7f7180bdd000
        0x7f7180bdd000-0x7f7180bde000   /lib64/ld-2.22.so
        0x7f7180bde000-0x7f7180bdf000   /lib64/ld-2.22.so
        0x7f7180bdf000-0x7f7180be0000
        0x7ffc0ab5e000-0x7ffc0ab7f000   [stack]
        0x7ffc0abdd000-0x7ffc0abdf000   [vvar]
        0x7ffc0abdf000-0x7ffc0abe1000   [vdso]
        0xffffffffff600000-0xffffffffff601000   [vsyscall]
==25497==End of process memory map.
==25497==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4c9f9d in AsanCheckFailed /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67
    #1 0x4d0ad3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159
    #2 0x4d0cc1 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183
    #3 0x4d9cfa in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:122
    #4 0x42208f in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033
    #5 0x42208f in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302
    #6 0x42208f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368
    #7 0x42208f in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718
    #8 0x4c0661 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53
    #9 0x7f7173b4d337 in wmf_malloc /tmp/portage/media-libs/libwmf-0.2.8.4-r6/work/libwmf-0.2.8.4/src/api.c:482
    #10 0x7f7173b5d2f8 in wmf_scan /tmp/portage/media-libs/libwmf-0.2.8.4-r6/work/libwmf-0.2.8.4/src/player.c:143
    #11 0x7f7173d6dcf7 in ReadWMFImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/coders/wmf.c:2675:13
    #12 0x7f717fde7b12 in ReadImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:496:13
    #13 0x7f718057f406 in ReadStream /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/stream.c:1012:9
    #14 0x7f717fde65ca in PingImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:226:9
    #15 0x7f717fde6e25 in PingImages /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:326:10
    #16 0x7f717f66c4c3 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/identify.c:319:18
    #17 0x7f717f70226a in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/mogrify.c:183:14
    #18 0x4f1fb5 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:145:10
    #19 0x4f1fb5 in main /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:176
    #20 0x7f717e5a661f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #21 0x419138 in _init (/usr/bin/magick+0x419138)

Affected version:
0.2.8.4

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-9011

Timeline:
2016-09-14: bug discovered
2016-10-18: blog post about the issue
2016-10-25: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libwmf: memory allocation failure in wmf_malloc (api.c)

Description:
snzip is a compression/decompression tool based on snappy.

A fuzzing revealed a memory allocation failure.

The complete ASan output:

# snzip -d $FILE
Ȥ�==12351==WARNING: AddressSanitizer failed to allocate 0xffffffffc8617364 bytes
==12351==AddressSanitizer's allocator is terminating the process instead of returning 0
==12351==If you don't like this behavior set allocator_may_return_null=1
==12351==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0)
    #0 0x4ca7ed in AsanCheckFailed /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67                                                                                                                                   
    #1 0x4d1323 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159                              
    #2 0x4cf076 in __sanitizer::ReportAllocatorCannotReturnNull() /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:147                                                                            
    #3 0x424896 in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::ReturnNullOrDie() /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1317                                                                                                                                                                                                   
    #4 0x424896 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:359                       
    #5 0x4205bd in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:539                                                      
    #6 0x4205bd in __asan::asan_realloc(void*, unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:732                                                               
    #7 0x4c1231 in realloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:79                                                                                                                                  
    #8 0x4fe72c in work_buffer_resize /tmp/portage/app-arch/snzip-1.0.3/work/snzip-1.0.3/snzip.c:584:13                                                                                                                                                                        
    #9 0x51667b in snappy_java_uncompress /tmp/portage/app-arch/snzip-1.0.3/work/snzip-1.0.3/snappy-java-format.c:193:7                                                                                                                                                        
    #10 0x4f68ea in main /tmp/portage/app-arch/snzip-1.0.3/work/snzip-1.0.3/snzip.c:401:11                                                                                                                                                                                     
    #11 0x7fcbabbd261f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                       
    #12 0x419988 in _init (/usr/bin/snzip+0x419988)

Affected version:
1.0.3

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-10-13: bug discovered
2016-10-13: bug reported to upstream
2016-10-18: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

snzip: memory allocation failure in work_buffer_resize (snzip.c)

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

Another round of fuzzing on an updated version (1.900.5) revealed that the previous issues, reported as CVE-2016-8690, are unfixed.

The complete ASan output:

# imginfo -f $FILE
THE BMP FORMAT IS NOT FULLY SUPPORTED!                                                                                                                                                                                                                                         
THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.                                                                                                                                                                                                              
IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA                                                                                                                                                                                                                
TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.                                                                                                                                                                                                                              
skipping unknown data in BMP file                                                                                                                                                                                                                                              
ASAN:DEADLYSIGNAL                                                                                                                                                                                                                                                              
=================================================================                                                                                                                                                                                                              
==19659==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f90527a18fe bp 0x7ffcfacc8070 sp 0x7ffcfacc7ee0 T0)
    #0 0x7f90527a18fd in bmp_getdata /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:394:5
    #1 0x7f90527a18fd in bmp_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:201
    #2 0x7f9052748f39 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_image.c:380:16
    #3 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/appl/imginfo.c:188:16
    #4 0x7f905185761f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #5 0x418e68 in _init (/usr/bin/imginfo+0x418e68)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:394:5 in bmp_getdata
==19659==ABORTING

# imginfo -f $FILE
THE BMP FORMAT IS NOT FULLY SUPPORTED!
THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.
IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA
TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.
ASAN:DEADLYSIGNAL
=================================================================
==11248==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f888b2f5a44 bp 0x7ffea5b3b070 sp 0x7ffea5b3aee0 T0)
    #0 0x7f888b2f5a43 in bmp_getdata /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:398:5
    #1 0x7f888b2f5a43 in bmp_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:201
    #2 0x7f888b29cf39 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_image.c:380:16
    #3 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/appl/imginfo.c:188:16
    #4 0x7f888a3ab61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #5 0x418e68 in _init (/usr/bin/imginfo+0x418e68)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:398:5 in bmp_getdata
==11248==ABORTING

Affected version:
1.900.5

Fixed version:
1.900.9

Commit fix:
https://github.com/mdadams/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8884
CVE-2016-8885

Timeline:
2016-10-17: bug discovered
2016-10-17: bug reported to upstream
2016-10-18: blog post about the issue
2016-10-20: upstream released a pathc and 1.900.9
2016-10-23: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

jasper: two NULL pointer dereference in bmp_getdata (bmp_dec.c) (Incomplete fix for CVE-2016-8690)

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

Another round of fuzzing on an updated version (1.900.5) revealed a memory allocation failure.

The complete ASan output:

# imginfo -f $FILE
THE BMP FORMAT IS NOT FULLY SUPPORTED!                                                                                                                                                                                                                                         
THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.                                                                                                                                                                                                              
IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA                                                                                                                                                                                                                
TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.                                                                                                                                                                                                                              
==18943==ERROR: AddressSanitizer failed to allocate 0x1000002000 (68719484928) bytes of LargeMmapAllocator (error code: 12)                                                                                                                                                    
==18943==Process memory map follows:                                                                                                                                                                                                                                           
        0x000000400000-0x000000520000   /usr/bin/imginfo                                                                                                                                                                                                                       
        0x00000071f000-0x000000720000   /usr/bin/imginfo                                                                                                                                                                                                                       
        0x000000720000-0x000000724000   /usr/bin/imginfo                                                                                                                                                                                                                       
        0x000000724000-0x0000013a6000                                                                                                                                                                                                                                          
        0x00007fff7000-0x00008fff7000                                                                                                                                                                                                                                          
        0x00008fff7000-0x02008fff7000                                                                                                                                                                                                                                          
        0x02008fff7000-0x10007fff8000                                                                                                                                                                                                                                          
        0x600000000000-0x602000000000                                                                                                                                                                                                                                          
        0x602000000000-0x602000010000                                                                                                                                                                                                                                          
        0x602000010000-0x603000000000                                                                                                                                                                                                                                          
        0x603000000000-0x603000010000                                                                                                                                                                                                                                          
        0x603000010000-0x604000000000                                                                                                                                                                                                                                          
        0x604000000000-0x604000010000                                                                                                                                                                                                                                          
        0x604000010000-0x606000000000                                                                                                                                                                                                                                          
        0x606000000000-0x606000010000                                                                                                                                                                                                                                          
        0x606000010000-0x60b000000000                                                                                                                                                                                                                                          
        0x60b000000000-0x60b000010000                                                                                                                                                                                                                                          
        0x60b000010000-0x619000000000                                                                                                                                                                                                                                          
        0x619000000000-0x619000020000                                                                                                                                                                                                                                          
        0x619000020000-0x625000000000                                                                                                                                                                                                                                          
        0x625000000000-0x625000020000                                                                                                                                                                                                                                          
        0x625000020000-0x640000000000                                                                                                                                                                                                                                          
        0x640000000000-0x640000003000                                                                                                                                                                                                                                          
        0x7f4f00738000-0x7f4f03593000                                                                                                                                                                                                                                          
        0x7f4f03593000-0x7f4f035fc000   /usr/lib64/libjpeg.so.62.2.0                                                                                                                                                                                                           
        0x7f4f035fc000-0x7f4f037fb000   /usr/lib64/libjpeg.so.62.2.0                                                                                                                                                                                                           
        0x7f4f037fb000-0x7f4f037fc000   /usr/lib64/libjpeg.so.62.2.0                                                                                                                                                                                                           
        0x7f4f037fc000-0x7f4f037fd000   /usr/lib64/libjpeg.so.62.2.0                                                                                                                                                                                                           
        0x7f4f037fd000-0x7f4f03990000   /lib64/libc-2.22.so                                                                                                                                                                                                                    
        0x7f4f03990000-0x7f4f03b90000   /lib64/libc-2.22.so                                                                                                                                                                                                                    
        0x7f4f03b90000-0x7f4f03b94000   /lib64/libc-2.22.so                                                                                                                                                                                                                    
        0x7f4f03b94000-0x7f4f03b96000   /lib64/libc-2.22.so                                                                                                                                                                                                                    
        0x7f4f03b96000-0x7f4f03b9a000                                                                                                                                                                                                                                          
        0x7f4f03b9a000-0x7f4f03bb0000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1                                                                                                                                                                                 
        0x7f4f03bb0000-0x7f4f03daf000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1                                                                                                                                                                                 
        0x7f4f03daf000-0x7f4f03db0000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1                                                                                                                                                                                 
        0x7f4f03db0000-0x7f4f03db1000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1                                                                                                                                                                                 
        0x7f4f03db1000-0x7f4f03db3000   /lib64/libdl-2.22.so
        0x7f4f03db3000-0x7f4f03fb3000   /lib64/libdl-2.22.so
        0x7f4f03fb3000-0x7f4f03fb4000   /lib64/libdl-2.22.so
        0x7f4f03fb4000-0x7f4f03fb5000   /lib64/libdl-2.22.so
        0x7f4f03fb5000-0x7f4f03fbb000   /lib64/librt-2.22.so
        0x7f4f03fbb000-0x7f4f041bb000   /lib64/librt-2.22.so
        0x7f4f041bb000-0x7f4f041bc000   /lib64/librt-2.22.so
        0x7f4f041bc000-0x7f4f041bd000   /lib64/librt-2.22.so
        0x7f4f041bd000-0x7f4f041d4000   /lib64/libpthread-2.22.so
        0x7f4f041d4000-0x7f4f043d3000   /lib64/libpthread-2.22.so
        0x7f4f043d3000-0x7f4f043d4000   /lib64/libpthread-2.22.so
        0x7f4f043d4000-0x7f4f043d5000   /lib64/libpthread-2.22.so
        0x7f4f043d5000-0x7f4f043d9000
        0x7f4f043d9000-0x7f4f044d6000   /lib64/libm-2.22.so
        0x7f4f044d6000-0x7f4f046d5000   /lib64/libm-2.22.so
        0x7f4f046d5000-0x7f4f046d6000   /lib64/libm-2.22.so
        0x7f4f046d6000-0x7f4f046d7000   /lib64/libm-2.22.so
        0x7f4f046d7000-0x7f4f04891000   /usr/lib64/libjasper.so.1.0.0
        0x7f4f04891000-0x7f4f04a90000   /usr/lib64/libjasper.so.1.0.0
        0x7f4f04a90000-0x7f4f04a94000   /usr/lib64/libjasper.so.1.0.0
        0x7f4f04a94000-0x7f4f04aa3000   /usr/lib64/libjasper.so.1.0.0
        0x7f4f04aa3000-0x7f4f04aac000
        0x7f4f04aac000-0x7f4f04ace000   /lib64/ld-2.22.so
        0x7f4f04c67000-0x7f4f04cc2000
        0x7f4f04cc2000-0x7f4f04ccd000
        0x7f4f04ccd000-0x7f4f04cce000   /lib64/ld-2.22.so
        0x7f4f04cce000-0x7f4f04ccf000   /lib64/ld-2.22.so
        0x7f4f04ccf000-0x7f4f04cd0000
        0x7ffeaeaca000-0x7ffeaeaeb000   [stack]
        0x7ffeaeb8a000-0x7ffeaeb8c000   [vvar]
        0x7ffeaeb8c000-0x7ffeaeb8e000   [vdso]
        0xffffffffff600000-0xffffffffff601000   [vsyscall]
==18943==End of process memory map.
==18943==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4c9ccd in AsanCheckFailed /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67
    #1 0x4d0803 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159
    #2 0x4d09f1 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183
    #3 0x4d9a2a in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:122
    #4 0x421dbf in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033
    #5 0x421dbf in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302
    #6 0x421dbf in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368
    #7 0x421dbf in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718
    #8 0x4c0391 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53
    #9 0x7f4f0474e170 in jas_malloc /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_malloc.c:117:9
    #10 0x7f4f0474e170 in jas_alloc2 /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_malloc.c:141
    #11 0x7f4f04764b4f in bmp_getinfo /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:297:25
    #12 0x7f4f04764b4f in bmp_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:132
    #13 0x7f4f0470ef39 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_image.c:380:16
    #14 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/appl/imginfo.c:188:16
    #15 0x7f4f0381d61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #16 0x418e68 in _init (/usr/bin/imginfo+0x418e68)

Affected version:
1.900.5

Fixed version:
1.900.11

Commit fix:
https://github.com/mdadams/jasper/commit/65536647d380571d1a9a6c91fa03775fb5bbd256

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8886

Timeline:
2016-10-17: bug discovered
2016-10-17: bug reported to upstream
2016-10-18: blog post about the issue
2016-10-22: upstream released a patch and 1.900.11
2016-10-23: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

jasper: memory allocation failure in jas_malloc (jas_malloc.c)

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

Another round of fuzzing on an updated version (1.900.5) revealed a NULL pointer access in jp2_colr_destroy

The complete ASan output:

# imginfo -f $FILE
cannot copy box data                                                                                                                                                                                                                                                           
ASAN:DEADLYSIGNAL                                                                                                                                                                                                                                                              
=================================================================                                                                                                                                                                                                              
==19664==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000041defd bp 0xbebebebebebebebe sp 0x7ffc50768570 T0)                                                                                                                                        
    #0 0x41defc in atomic_compare_exchange_strong /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81                                                      
    #1 0x41defc in __asan::Allocator::AtomicallySetQuarantineFlag(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:465                                
    #2 0x41defc in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:525                                   
    #3 0x41defc in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:709                                                              
    #4 0x4c008c in free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:41                                                                                                                                     
    #5 0x7f8dcb5bc940 in jp2_colr_destroy /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_cod.c:443:3                                                                                                                                         
    #6 0x7f8dcb5c1f69 in jp2_box_destroy /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_cod.c:211:3                                                                                                                                          
    #7 0x7f8dcb5c1f69 in jp2_box_get /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_cod.c:307                                                                                                                                                
    #8 0x7f8dcb5c5dc0 in jp2_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_dec.c:156:16                                                                                                                                              
    #9 0x7f8dcb556f39 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_image.c:380:16                                                                                                                                     
    #10 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/appl/imginfo.c:188:16                                                                                                                                                                  
    #11 0x7f8dca66561f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                       
    #12 0x418e68 in _init (/usr/bin/imginfo+0x418e68)                                                                                                                                                                                                                          

AddressSanitizer can not provide additional info.                                                                                                                                                                                                                              
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 in atomic_compare_exchange_strong                                      
==19664==ABORTING

Affected version:
1.900.5

Fixed version:
1.900.10

Commit fix:
https://github.com/mdadams/jasper/commit/e24bdc716c3327b067c551bc6cfb97fd2370358d

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8887

Timeline:
2016-10-17: bug discovered
2016-10-17: bug reported to upstream
2016-10-18: blog post about the issue
2016-10-21: upstream released a patch
2016-10-23: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

jasper: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c)

Description:
imagemagick is a software suite to create, edit, compose, or convert bitmap images.

A fuzzing with the upstream security policy enabled revealed a memory allocation failure.

The complete ASan output:

# identify $FILE
==14275==ERROR: AddressSanitizer failed to allocate 0x99ad49000 (41252327424) bytes of LargeMmapAllocator (error code: 12)
==14275==Process memory map follows:
        0x000000400000-0x000000520000   /usr/bin/magick
        0x000000720000-0x000000721000   /usr/bin/magick
        0x000000721000-0x000000724000   /usr/bin/magick
        0x000000724000-0x000001397000
        0x00007fff7000-0x00008fff7000
        0x00008fff7000-0x02008fff7000
        0x02008fff7000-0x10007fff8000
        0x600000000000-0x602000000000
        0x602000000000-0x602000010000
        0x602000010000-0x603000000000
        0x603000000000-0x603000010000
        0x603000010000-0x604000000000
        0x604000000000-0x604000010000
        0x604000010000-0x606000000000
        0x606000000000-0x606000010000
        0x606000010000-0x607000000000
        0x607000000000-0x607000010000
        0x607000010000-0x608000000000
        0x608000000000-0x608000010000
        0x608000010000-0x60a000000000
        0x60a000000000-0x60a000020000
        0x60a000020000-0x60b000000000
        0x60b000000000-0x60b000010000
        0x60b000010000-0x60c000000000
        0x60c000000000-0x60c000010000
        0x60c000010000-0x60e000000000
        0x60e000000000-0x60e000010000
        0x60e000010000-0x60f000000000
        0x60f000000000-0x60f000010000
        0x60f000010000-0x610000000000
        0x610000000000-0x610000010000
        0x610000010000-0x611000000000
        0x611000000000-0x611000010000
        0x611000010000-0x612000000000
        0x612000000000-0x612000010000
        0x612000010000-0x614000000000
        0x614000000000-0x614000020000
        0x614000020000-0x615000000000
        0x615000000000-0x615000020000
        0x615000020000-0x616000000000
        0x616000000000-0x616000020000
        0x616000020000-0x618000000000
        0x618000000000-0x618000020000
        0x618000020000-0x619000000000
        0x619000000000-0x619000020000
        0x619000020000-0x61a000000000
        0x61a000000000-0x61a000020000
        0x61a000020000-0x61b000000000
        0x61b000000000-0x61b000020000
        0x61b000020000-0x61d000000000
        0x61d000000000-0x61d000020000
        0x61d000020000-0x621000000000
        0x621000000000-0x621000020000
        0x621000020000-0x622000000000
        0x622000000000-0x622000020000
        0x622000020000-0x623000000000
        0x623000000000-0x623000020000
        0x623000020000-0x624000000000
        0x624000000000-0x624000020000
        0x624000020000-0x625000000000
        0x625000000000-0x625000020000
        0x625000020000-0x627000000000
        0x627000000000-0x627000030000
        0x627000030000-0x629000000000
        0x629000000000-0x629000010000
        0x629000010000-0x640000000000
        0x640000000000-0x640000003000
        0x7fe564f76000-0x7fe564f8d000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/pcx.so
        0x7fe564f8d000-0x7fe56518c000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/pcx.so
        0x7fe56518c000-0x7fe56518d000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/pcx.so
        0x7fe56518d000-0x7fe56518e000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/pcx.so
        0x7fe56518e000-0x7fe56b800000   /usr/lib64/locale/locale-archive
        0x7fe56b800000-0x7fe56b900000
        0x7fe56ba00000-0x7fe56bb00000
        0x7fe56bbe6000-0x7fe56df38000
        0x7fe56df38000-0x7fe56df5f000   /usr/lib64/libexpat.so.1.6.0
        0x7fe56df5f000-0x7fe56e15e000   /usr/lib64/libexpat.so.1.6.0
        0x7fe56e15e000-0x7fe56e161000   /usr/lib64/libexpat.so.1.6.0
        0x7fe56e161000-0x7fe56e162000   /usr/lib64/libexpat.so.1.6.0
        0x7fe56e162000-0x7fe56e297000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7fe56e297000-0x7fe56e497000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7fe56e497000-0x7fe56e498000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7fe56e498000-0x7fe56e499000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7fe56e499000-0x7fe56e49a000
        0x7fe56e49a000-0x7fe56e4a3000   /usr/lib64/libltdl.so.7.3.1
        0x7fe56e4a3000-0x7fe56e6a2000   /usr/lib64/libltdl.so.7.3.1
        0x7fe56e6a2000-0x7fe56e6a3000   /usr/lib64/libltdl.so.7.3.1
        0x7fe56e6a3000-0x7fe56e6a4000   /usr/lib64/libltdl.so.7.3.1
        0x7fe56e6a4000-0x7fe56e6b9000   /lib64/libz.so.1.2.8
        0x7fe56e6b9000-0x7fe56e8b8000   /lib64/libz.so.1.2.8
        0x7fe56e8b8000-0x7fe56e8b9000   /lib64/libz.so.1.2.8
        0x7fe56e8b9000-0x7fe56e8ba000   /lib64/libz.so.1.2.8
        0x7fe56e8ba000-0x7fe56e8c9000   /lib64/libbz2.so.1.0.6
        0x7fe56e8c9000-0x7fe56eac8000   /lib64/libbz2.so.1.0.6
        0x7fe56eac8000-0x7fe56eac9000   /lib64/libbz2.so.1.0.6
        0x7fe56eac9000-0x7fe56eaca000   /lib64/libbz2.so.1.0.6
        0x7fe56eaca000-0x7fe56eb71000   /usr/lib64/libfreetype.so.6.12.3
        0x7fe56eb71000-0x7fe56ed71000   /usr/lib64/libfreetype.so.6.12.3
        0x7fe56ed71000-0x7fe56ed77000   /usr/lib64/libfreetype.so.6.12.3
        0x7fe56ed77000-0x7fe56ed78000   /usr/lib64/libfreetype.so.6.12.3
        0x7fe56ed78000-0x7fe56edb3000   /usr/lib64/libfontconfig.so.1.8.0
        0x7fe56edb3000-0x7fe56efb2000   /usr/lib64/libfontconfig.so.1.8.0
        0x7fe56efb2000-0x7fe56efb4000   /usr/lib64/libfontconfig.so.1.8.0
        0x7fe56efb4000-0x7fe56efb5000   /usr/lib64/libfontconfig.so.1.8.0
        0x7fe56efb5000-0x7fe56f1aa000   /usr/lib64/libfftw3.so.3.4.4
        0x7fe56f1aa000-0x7fe56f3a9000   /usr/lib64/libfftw3.so.3.4.4
        0x7fe56f3a9000-0x7fe56f3bd000   /usr/lib64/libfftw3.so.3.4.4
        0x7fe56f3bd000-0x7fe56f3be000   /usr/lib64/libfftw3.so.3.4.4
        0x7fe56f3be000-0x7fe56f3cc000   /usr/lib64/liblqr-1.so.0.3.2
        0x7fe56f3cc000-0x7fe56f5cb000   /usr/lib64/liblqr-1.so.0.3.2
        0x7fe56f5cb000-0x7fe56f5cc000   /usr/lib64/liblqr-1.so.0.3.2
        0x7fe56f5cc000-0x7fe56f5cd000   /usr/lib64/liblqr-1.so.0.3.2
        0x7fe56f5cd000-0x7fe56f620000   /usr/lib64/liblcms2.so.2.0.6
        0x7fe56f620000-0x7fe56f820000   /usr/lib64/liblcms2.so.2.0.6
        0x7fe56f820000-0x7fe56f821000   /usr/lib64/liblcms2.so.2.0.6
        0x7fe56f821000-0x7fe56f826000   /usr/lib64/liblcms2.so.2.0.6
        0x7fe56f826000-0x7fe56f9b9000   /lib64/libc-2.22.so
        0x7fe56f9b9000-0x7fe56fbb9000   /lib64/libc-2.22.so
        0x7fe56fbb9000-0x7fe56fbbd000   /lib64/libc-2.22.so
        0x7fe56fbbd000-0x7fe56fbbf000   /lib64/libc-2.22.so
        0x7fe56fbbf000-0x7fe56fbc3000
        0x7fe56fbc3000-0x7fe56fbd9000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7fe56fbd9000-0x7fe56fdd8000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7fe56fdd8000-0x7fe56fdd9000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7fe56fdd9000-0x7fe56fdda000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7fe56fdda000-0x7fe56fde0000   /lib64/librt-2.22.so
        0x7fe56fde0000-0x7fe56ffe0000   /lib64/librt-2.22.so
        0x7fe56ffe0000-0x7fe56ffe1000   /lib64/librt-2.22.so
        0x7fe56ffe1000-0x7fe56ffe2000   /lib64/librt-2.22.so
        0x7fe56ffe2000-0x7fe56fff9000   /lib64/libpthread-2.22.so
        0x7fe56fff9000-0x7fe5701f8000   /lib64/libpthread-2.22.so
        0x7fe5701f8000-0x7fe5701f9000   /lib64/libpthread-2.22.so
        0x7fe5701f9000-0x7fe5701fa000   /lib64/libpthread-2.22.so
        0x7fe5701fa000-0x7fe5701fe000
        0x7fe5701fe000-0x7fe5702fb000   /lib64/libm-2.22.so
        0x7fe5702fb000-0x7fe5704fa000   /lib64/libm-2.22.so
        0x7fe5704fa000-0x7fe5704fb000   /lib64/libm-2.22.so
        0x7fe5704fb000-0x7fe5704fc000   /lib64/libm-2.22.so
        0x7fe5704fc000-0x7fe5704fe000   /lib64/libdl-2.22.so
        0x7fe5704fe000-0x7fe5706fe000   /lib64/libdl-2.22.so
        0x7fe5706fe000-0x7fe5706ff000   /lib64/libdl-2.22.so
        0x7fe5706ff000-0x7fe570700000   /lib64/libdl-2.22.so
        0x7fe570700000-0x7fe570bc6000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7fe570bc6000-0x7fe570dc5000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7fe570dc5000-0x7fe570dda000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7fe570dda000-0x7fe570e1c000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7fe570e1c000-0x7fe5719af000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7fe5719af000-0x7fe571bae000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7fe571bae000-0x7fe571be7000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7fe571be7000-0x7fe571c59000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7fe571c59000-0x7fe571c5c000
        0x7fe571c5c000-0x7fe571c7e000   /lib64/ld-2.22.so
        0x7fe571cf9000-0x7fe571da4000
        0x7fe571da4000-0x7fe571dc7000   /usr/share/locale/it/LC_MESSAGES/libc.mo
        0x7fe571dc7000-0x7fe571e70000
        0x7fe571e70000-0x7fe571e7d000
        0x7fe571e7d000-0x7fe571e7e000   /lib64/ld-2.22.so
        0x7fe571e7e000-0x7fe571e7f000   /lib64/ld-2.22.so
        0x7fe571e7f000-0x7fe571e80000
        0x7ffddcca3000-0x7ffddccc4000   [stack]
        0x7ffddcd4d000-0x7ffddcd4f000   [vvar]
        0x7ffddcd4f000-0x7ffddcd51000   [vdso]
        0xffffffffff600000-0xffffffffff601000   [vsyscall]
==14275==End of process memory map.
==14275==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4c9f9d in AsanCheckFailed /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67
    #1 0x4d0ad3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159
    #2 0x4d0cc1 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183
    #3 0x4d9cfa in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:122
    #4 0x42208f in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033
    #5 0x42208f in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302
    #6 0x42208f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368
    #7 0x42208f in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718
    #8 0x4c0661 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53
    #9 0x7fe5713b3b3b in AcquireMagickMemory /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/memory.c:460:10
    #10 0x7fe5713b3b3b in AcquireVirtualMemory /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/memory.c:642
    #11 0x7fe564f7af95 in ReadPCXImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/coders/pcx.c:400:16
    #12 0x7fe571087b12 in ReadImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:496:13
    #13 0x7fe57181f406 in ReadStream /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/stream.c:1012:9
    #14 0x7fe5710865ca in PingImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:226:9
    #15 0x7fe571086e25 in PingImages /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:326:10
    #16 0x7fe57090c4c3 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/identify.c:319:18
    #17 0x7fe5709a226a in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/mogrify.c:183:14
    #18 0x4f1fb5 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:145:10
    #19 0x4f1fb5 in main /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:176
    #20 0x7fe56f84661f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #21 0x419138 in _init (/usr/bin/magick+0x419138)

Affected version:
7.0.3.2

Fixed version:
7.0.3.3

Commit fix:
https://github.com/ImageMagick/ImageMagick/commit/aea6c6507f55632829e6432f8177a084a57c9fcc

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8862

Timeline:
2016-09-14: bug discovered
2016-09-14: bug reported to upstream
2016-10-07: upstream released a patch
2016-10-08: upstream released 7.0.3.3
2016-10-17: blog post about the issue
2016-10-20: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

imagemagick: memory allocation failure in AcquireMagickMemory (memory.c)

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

A fuzzing revelaled a double-free in mem_close.

Since jasper seems to be dead for years, I first posted this bug on oss-security. Since few days I noticed that the development is alive on github, I posted the bug to the maintainer which comes with a fast response/fix.

The complete ASan output:

# imginfo -f $FILE
Corrupt JPEG data: 1 extraneous bytes before marker 0xc4                                                                                                                                       
=================================================================                                                                                                                              
==31536==ERROR: AddressSanitizer: attempting double-free on 0x619000003780 in thread T0:                                                                                                       
    #0 0x4bfe10 in __interceptor_free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38                                       
    #1 0x7f15e7385450 in mem_close /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:1079:3                                                                                          
    #2 0x7f15e737ffcb in jas_stream_close /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:466:2                                                                                    
    #3 0x7f15e7353b71 in jas_image_cmpt_destroy /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:343:3                                                                               
    #4 0x7f15e7353b71 in jas_image_cmpt_create /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:333                                                                                  
    #5 0x7f15e7356977 in jas_image_addcmpt /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:677:18                                                                                   
    #6 0x7f15e741bd7c in jpg_mkimage /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:247:7                                                                                             
    #7 0x7f15e741bd7c in jpg_decode /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:171                                                                                                
    #8 0x7f15e7354c8a in jas_image_decode /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:372:16                                                                                    
    #9 0x4f11bd in main /tmp/jasper-version-1.900.4/src/appl/imginfo.c:179:16                                                                                                                  
    #10 0x7f15e646c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                       
    #11 0x418bc8 in _start (/tmp/jasper-version-1.900.4/src/appl/.libs/imginfo+0x418bc8)                                                                                                       
                                                                                                                                                                                               
0x619000003780 is located 0 bytes inside of 1024-byte region [0x619000003780,0x619000003b80)                                                                                                   
freed by thread T0 here:                                                                                                                                                                       
    #0 0x4c0498 in realloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:71                                                  
    #1 0x7f15e7385048 in mem_resize /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:995:14                                                                                         
    #2 0x7f15e7385048 in mem_write /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:1018                                                                                            
    #3 0x7f15e73823a3 in jas_stream_flushbuf /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:819:7                                                                                 
    #4 0x7f15e7383e04 in jas_stream_flush /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:749:9                                                                                    
    #5 0x7f15e7383e04 in jas_stream_seek /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:656                                                                                       
    #6 0x7f15e7353b4a in jas_image_cmpt_create /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:332:4                                                                                
    #7 0x7f15e7356977 in jas_image_addcmpt /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:677:18                                                                                   
    #8 0x7f15e741bd7c in jpg_mkimage /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:247:7                                                                                             
    #9 0x7f15e741bd7c in jpg_decode /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:171                                                                                                
    #10 0x7f15e7354c8a in jas_image_decode /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:372:16                                                                                   
    #11 0x4f11bd in main /tmp/jasper-version-1.900.4/src/appl/imginfo.c:179:16
    #12 0x7f15e646c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

previously allocated by thread T0 here:
    #0 0x4c0118 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52
    #1 0x7f15e737fb4e in jas_stream_memopen /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:215:15
    #2 0x7f15e735397e in jas_image_cmpt_create /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:322:28
    #3 0x7f15e7356977 in jas_image_addcmpt /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:677:18
    #4 0x7f15e741bd7c in jpg_mkimage /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:247:7
    #5 0x7f15e741bd7c in jpg_decode /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:171
    #6 0x7f15e7354c8a in jas_image_decode /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:372:16
    #7 0x4f11bd in main /tmp/jasper-version-1.900.4/src/appl/imginfo.c:179:16
    #8 0x7f15e646c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: double-free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38 in __interceptor_free
==31536==ABORTING

Affected version:
1.900.1, 1.900.3 and 1.900.4

Fixed version:
1.900.10

Commit fix:
https://github.com/mdadams/jasper/commit/44a524e367597af58d6265ae2014468b334d0309

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8693

Timeline:
2016-08-15: bug discovered
2016-08-23: requested a feedback on oss-security
2016-10-13: bug reported to upstream
2016-10-16: blog post about the issue
2016-10-16: CVE Assigned
2016-10-20: upstream released a patch

Note:
This bug was found with American Fuzzy Lop.

Permalink:

jasper: double-free in mem_close (jas_stream.c)

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

A fuzzing revelaled two divide-by-zero in jpc_dec_process_siz

Since jasper seems to be dead for years, I first posted this bug on oss-security. Since few days I noticed that the development is alive on github, I posted the bug to the maintainer which comes with a fast response/fix.

The complete ASan output:

# imginfo -f $FILE
warning: trailing garbage in marker segment (2 bytes)
ASAN:DEADLYSIGNAL
=================================================================
==31103==ERROR: AddressSanitizer: FPE on unknown address 0x7f5b9237e7df (pc 0x7f5b9237e7df bp 0x7fff3818a0c0 sp 0x7fff38189fa0 T0)
    #0 0x7f5b9237e7de in jpc_dec_process_siz /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1194:17
    #1 0x7f5b923842b2 in jpc_dec_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:390:10
    #2 0x7f5b923842b2 in jpc_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:254
    #3 0x7f5b92327a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16
    #4 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16
    #5 0x7f5b9143f61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1194:17 in jpc_dec_process_siz
==31103==ABORTING


# imginfo -f $FILE
warning: trailing garbage in marker segment (5 bytes)
ASAN:DEADLYSIGNAL
=================================================================
==24077==ERROR: AddressSanitizer: FPE on unknown address 0x7f78c36f9822 (pc 0x7f78c36f9822 bp 0x7ffe2bff10c0 sp 0x7ffe2bff0fa0 T0)
    #0 0x7f78c36f9821 in jpc_dec_process_siz /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1196:18
    #1 0x7f78c36ff2b2 in jpc_dec_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:390:10
    #2 0x7f78c36ff2b2 in jpc_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:254
    #3 0x7f78c36a2a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16
    #4 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16
    #5 0x7f78c27ba61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1196:18 in jpc_dec_process_siz
==24077==ABORTING

Affected version:
1.900.1 and 1.900.3

Fixed version:
1.900.4

Commit fix:
https://github.com/mdadams/jasper/commit/d8c2604cd438c41ec72aff52c16ebd8183068020

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8691
CVE-2016-8692

Timeline:
2016-08-15: bug discovered
2016-08-23: requested a feedback on oss-security
2016-10-13: bug reported to upstream
2016-10-15: upstream released a patch
2016-10-15: upstream released 1.900.4
2016-10-16: blog post about the issue
2016-10-16: CVE Assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

jasper: two divide-by-zero in jpc_dec_process_siz (jpc_dec.c)