{"id":756,"date":"2016-10-18T16:39:16","date_gmt":"2016-10-18T14:39:16","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=756"},"modified":"2016-12-01T16:02:25","modified_gmt":"2016-12-01T14:02:25","slug":"jasper-memory-allocation-failure-in-jas_malloc-jas_malloc-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/10\/18\/jasper-memory-allocation-failure-in-jas_malloc-jas_malloc-c\/","title":{"rendered":"jasper: memory allocation failure in jas_malloc (jas_malloc.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/www.ece.uvic.ca\/~frodo\/jasper\/\">jasper<\/a> is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.<\/p>\n<p>Another round of fuzzing on an updated version (1.900.5) revealed a memory allocation failure.<\/p>\n<p>The complete ASan output:<\/p>\n<pre><font size=\"2\"># imginfo -f $FILE\r\nTHE BMP FORMAT IS NOT FULLY SUPPORTED!                                                                                                                                                                                                                                         \r\nTHAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.                                                                                                                                                                                                              \r\nIF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA                                                                                                                                                                                                                \r\nTO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.                                                                                                                                                                                                                              \r\n==18943==ERROR: AddressSanitizer failed to allocate 0x1000002000 (68719484928) bytes of LargeMmapAllocator (error code: 12)                                                                                                                                                    \r\n==18943==Process memory map follows:                                                                                                                                                                                                                                           \r\n        0x000000400000-0x000000520000   \/usr\/bin\/imginfo                                                                                                                                                                                                                       \r\n        0x00000071f000-0x000000720000   \/usr\/bin\/imginfo                                                                                                                                                                                                                       \r\n        0x000000720000-0x000000724000   \/usr\/bin\/imginfo                                                                                                                                                                                                                       \r\n        0x000000724000-0x0000013a6000                                                                                                                                                                                                                                          \r\n        0x00007fff7000-0x00008fff7000                                                                                                                                                                                                                                          \r\n        0x00008fff7000-0x02008fff7000                                                                                                                                                                                                                                          \r\n        0x02008fff7000-0x10007fff8000                                                                                                                                                                                                                                          \r\n        0x600000000000-0x602000000000                                                                                                                                                                                                                                          \r\n        0x602000000000-0x602000010000                                                                                                                                                                                                                                          \r\n        0x602000010000-0x603000000000                                                                                                                                                                                                                                          \r\n        0x603000000000-0x603000010000                                                                                                                                                                                                                                          \r\n        0x603000010000-0x604000000000                                                                                                                                                                                                                                          \r\n        0x604000000000-0x604000010000                                                                                                                                                                                                                                          \r\n        0x604000010000-0x606000000000                                                                                                                                                                                                                                          \r\n        0x606000000000-0x606000010000                                                                                                                                                                                                                                          \r\n        0x606000010000-0x60b000000000                                                                                                                                                                                                                                          \r\n        0x60b000000000-0x60b000010000                                                                                                                                                                                                                                          \r\n        0x60b000010000-0x619000000000                                                                                                                                                                                                                                          \r\n        0x619000000000-0x619000020000                                                                                                                                                                                                                                          \r\n        0x619000020000-0x625000000000                                                                                                                                                                                                                                          \r\n        0x625000000000-0x625000020000                                                                                                                                                                                                                                          \r\n        0x625000020000-0x640000000000                                                                                                                                                                                                                                          \r\n        0x640000000000-0x640000003000                                                                                                                                                                                                                                          \r\n        0x7f4f00738000-0x7f4f03593000                                                                                                                                                                                                                                          \r\n        0x7f4f03593000-0x7f4f035fc000   \/usr\/lib64\/libjpeg.so.62.2.0                                                                                                                                                                                                           \r\n        0x7f4f035fc000-0x7f4f037fb000   \/usr\/lib64\/libjpeg.so.62.2.0                                                                                                                                                                                                           \r\n        0x7f4f037fb000-0x7f4f037fc000   \/usr\/lib64\/libjpeg.so.62.2.0                                                                                                                                                                                                           \r\n        0x7f4f037fc000-0x7f4f037fd000   \/usr\/lib64\/libjpeg.so.62.2.0                                                                                                                                                                                                           \r\n        0x7f4f037fd000-0x7f4f03990000   \/lib64\/libc-2.22.so                                                                                                                                                                                                                    \r\n        0x7f4f03990000-0x7f4f03b90000   \/lib64\/libc-2.22.so                                                                                                                                                                                                                    \r\n        0x7f4f03b90000-0x7f4f03b94000   \/lib64\/libc-2.22.so                                                                                                                                                                                                                    \r\n        0x7f4f03b94000-0x7f4f03b96000   \/lib64\/libc-2.22.so                                                                                                                                                                                                                    \r\n        0x7f4f03b96000-0x7f4f03b9a000                                                                                                                                                                                                                                          \r\n        0x7f4f03b9a000-0x7f4f03bb0000   \/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/4.9.3\/libgcc_s.so.1                                                                                                                                                                                 \r\n        0x7f4f03bb0000-0x7f4f03daf000   \/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/4.9.3\/libgcc_s.so.1                                                                                                                                                                                 \r\n        0x7f4f03daf000-0x7f4f03db0000   \/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/4.9.3\/libgcc_s.so.1                                                                                                                                                                                 \r\n        0x7f4f03db0000-0x7f4f03db1000   \/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/4.9.3\/libgcc_s.so.1                                                                                                                                                                                 \r\n        0x7f4f03db1000-0x7f4f03db3000   \/lib64\/libdl-2.22.so\r\n        0x7f4f03db3000-0x7f4f03fb3000   \/lib64\/libdl-2.22.so\r\n        0x7f4f03fb3000-0x7f4f03fb4000   \/lib64\/libdl-2.22.so\r\n        0x7f4f03fb4000-0x7f4f03fb5000   \/lib64\/libdl-2.22.so\r\n        0x7f4f03fb5000-0x7f4f03fbb000   \/lib64\/librt-2.22.so\r\n        0x7f4f03fbb000-0x7f4f041bb000   \/lib64\/librt-2.22.so\r\n        0x7f4f041bb000-0x7f4f041bc000   \/lib64\/librt-2.22.so\r\n        0x7f4f041bc000-0x7f4f041bd000   \/lib64\/librt-2.22.so\r\n        0x7f4f041bd000-0x7f4f041d4000   \/lib64\/libpthread-2.22.so\r\n        0x7f4f041d4000-0x7f4f043d3000   \/lib64\/libpthread-2.22.so\r\n        0x7f4f043d3000-0x7f4f043d4000   \/lib64\/libpthread-2.22.so\r\n        0x7f4f043d4000-0x7f4f043d5000   \/lib64\/libpthread-2.22.so\r\n        0x7f4f043d5000-0x7f4f043d9000\r\n        0x7f4f043d9000-0x7f4f044d6000   \/lib64\/libm-2.22.so\r\n        0x7f4f044d6000-0x7f4f046d5000   \/lib64\/libm-2.22.so\r\n        0x7f4f046d5000-0x7f4f046d6000   \/lib64\/libm-2.22.so\r\n        0x7f4f046d6000-0x7f4f046d7000   \/lib64\/libm-2.22.so\r\n        0x7f4f046d7000-0x7f4f04891000   \/usr\/lib64\/libjasper.so.1.0.0\r\n        0x7f4f04891000-0x7f4f04a90000   \/usr\/lib64\/libjasper.so.1.0.0\r\n        0x7f4f04a90000-0x7f4f04a94000   \/usr\/lib64\/libjasper.so.1.0.0\r\n        0x7f4f04a94000-0x7f4f04aa3000   \/usr\/lib64\/libjasper.so.1.0.0\r\n        0x7f4f04aa3000-0x7f4f04aac000\r\n        0x7f4f04aac000-0x7f4f04ace000   \/lib64\/ld-2.22.so\r\n        0x7f4f04c67000-0x7f4f04cc2000\r\n        0x7f4f04cc2000-0x7f4f04ccd000\r\n        0x7f4f04ccd000-0x7f4f04cce000   \/lib64\/ld-2.22.so\r\n        0x7f4f04cce000-0x7f4f04ccf000   \/lib64\/ld-2.22.so\r\n        0x7f4f04ccf000-0x7f4f04cd0000\r\n        0x7ffeaeaca000-0x7ffeaeaeb000   [stack]\r\n        0x7ffeaeb8a000-0x7ffeaeb8c000   [vvar]\r\n        0x7ffeaeb8c000-0x7ffeaeb8e000   [vdso]\r\n        0xffffffffff600000-0xffffffffff601000   [vsyscall]\r\n==18943==End of process memory map.\r\n==18943==AddressSanitizer CHECK failed: \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_common.cc:183 \"((0 &amp;&amp; \"unable to mmap\")) != (0)\" (0x0, 0x0)\r\n    #0 0x4c9ccd in AsanCheckFailed \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_rtl.cc:67\r\n    #1 0x4d0803 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_common.cc:159\r\n    #2 0x4d09f1 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_common.cc:183\r\n    #3 0x4d9a2a in __sanitizer::MmapOrDie(unsigned long, char const*, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_posix.cc:122\r\n    #4 0x421dbf in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_allocator.h:1033\r\n    #5 0x421dbf in __sanitizer::CombinedAllocator&lt;__sanitizer::SizeClassAllocator64&lt;105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback&gt;, __sanitizer::SizeClassAllocatorLocalCache&lt;__sanitizer::SizeClassAllocator64&lt;105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback&gt; &gt;, __sanitizer::LargeMmapAllocator &gt;::Allocate(__sanitizer::SizeClassAllocatorLocalCache&lt;__sanitizer::SizeClassAllocator64&lt;105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback&gt; &gt;*, unsigned long, unsigned long, bool, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_allocator.h:1302\r\n    #6 0x421dbf in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_allocator.cc:368\r\n    #7 0x421dbf in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_allocator.cc:718\r\n    #8 0x4c0391 in malloc \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:53\r\n    #9 0x7f4f0474e170 in jas_malloc \/tmp\/portage\/media-libs\/jasper-1.900.5\/work\/jasper-1.900.5\/src\/libjasper\/base\/jas_malloc.c:117:9\r\n    #10 0x7f4f0474e170 in jas_alloc2 \/tmp\/portage\/media-libs\/jasper-1.900.5\/work\/jasper-1.900.5\/src\/libjasper\/base\/jas_malloc.c:141\r\n    #11 0x7f4f04764b4f in bmp_getinfo \/tmp\/portage\/media-libs\/jasper-1.900.5\/work\/jasper-1.900.5\/src\/libjasper\/bmp\/bmp_dec.c:297:25\r\n    #12 0x7f4f04764b4f in bmp_decode \/tmp\/portage\/media-libs\/jasper-1.900.5\/work\/jasper-1.900.5\/src\/libjasper\/bmp\/bmp_dec.c:132\r\n    #13 0x7f4f0470ef39 in jas_image_decode \/tmp\/portage\/media-libs\/jasper-1.900.5\/work\/jasper-1.900.5\/src\/libjasper\/base\/jas_image.c:380:16\r\n    #14 0x4f1686 in main \/tmp\/portage\/media-libs\/jasper-1.900.5\/work\/jasper-1.900.5\/src\/appl\/imginfo.c:188:16\r\n    #15 0x7f4f0381d61f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #16 0x418e68 in _init (\/usr\/bin\/imginfo+0x418e68)\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n1.900.5<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\n1.900.11<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/mdadams\/jasper\/commit\/65536647d380571d1a9a6c91fa03775fb5bbd256\">https:\/\/github.com\/mdadams\/jasper\/commit\/65536647d380571d1a9a6c91fa03775fb5bbd256<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2016-8886<\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2016-10-17: bug discovered<br \/>\n2016-10-17: bug reported to upstream<br \/>\n2016-10-18: blog post about the issue<br \/>\n2016-10-22: upstream released a patch and 1.900.11<br \/>\n2016-10-23: CVE assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"SIBNOy5P1w\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2016\/10\/18\/jasper-memory-allocation-failure-in-jas_malloc-jas_malloc-c\/\">jasper: memory allocation failure in jas_malloc (jas_malloc.c)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2016\/10\/18\/jasper-memory-allocation-failure-in-jas_malloc-jas_malloc-c\/embed\/#?secret=SIBNOy5P1w\" data-secret=\"SIBNOy5P1w\" width=\"600\" height=\"338\" title=\"&#8220;jasper: memory allocation failure in jas_malloc (jas_malloc.c)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard. Another round of fuzzing on an updated version (1.900.5) revealed a memory allocation failure. The complete ASan output: &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2016\/10\/18\/jasper-memory-allocation-failure-in-jas_malloc-jas_malloc-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-cc","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/756"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=756"}],"version-history":[{"count":5,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/756\/revisions"}],"predecessor-version":[{"id":1005,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/756\/revisions\/1005"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=756"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=756"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=756"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}