{"id":797,"date":"2016-10-23T09:54:47","date_gmt":"2016-10-23T07:54:47","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=797"},"modified":"2017-03-13T12:36:51","modified_gmt":"2017-03-13T10:36:51","slug":"jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c-incomplete-fix-for-cve-2016-8887","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/10\/23\/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c-incomplete-fix-for-cve-2016-8887\/","title":{"rendered":"jasper: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (incomplete fix for CVE-2016-8887)"},"content":{"rendered":"

Description<\/strong>:
\njasper<\/a> is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.<\/p>\n

Another round of fuzzing on an updated version (1.900.10) revealed that the NULL pointer access identified as CVE-2016-8887 which upstream declared to be fixed in the version 1.900.10 is still here.<\/p>\n

The complete ASan output:<\/p>\n

# imginfo -f $FILE\r\nASAN:DEADLYSIGNAL\r\n=================================================================\r\n==20885==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000041defd bp 0xbebebebebebebebe sp 0x7ffc4e4a4550 T0)\r\n    #0 0x41defc in atomic_compare_exchange_strong \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_atomic_clang.h:81\r\n    #1 0x41defc in __asan::Allocator::AtomicallySetQuarantineFlag(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_allocator.cc:465\r\n    #2 0x41defc in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_allocator.cc:525\r\n    #3 0x41defc in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_allocator.cc:709\r\n    #4 0x4c008c in free \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:41\r\n    #5 0x7faeeeb2d430 in jp2_colr_destroy \/tmp\/portage\/media-libs\/jasper-1.900.10\/work\/jasper-1.900.10\/src\/libjasper\/jp2\/jp2_cod.c:450:3\r\n    #6 0x7faeeeb32b0e in jp2_box_destroy \/tmp\/portage\/media-libs\/jasper-1.900.10\/work\/jasper-1.900.10\/src\/libjasper\/jp2\/jp2_cod.c:211:3\r\n    #7 0x7faeeeb32b0e in jp2_box_get \/tmp\/portage\/media-libs\/jasper-1.900.10\/work\/jasper-1.900.10\/src\/libjasper\/jp2\/jp2_cod.c:314\r\n    #8 0x7faeeeb369a0 in jp2_decode \/tmp\/portage\/media-libs\/jasper-1.900.10\/work\/jasper-1.900.10\/src\/libjasper\/jp2\/jp2_dec.c:156:16\r\n    #9 0x7faeeeac6a29 in jas_image_decode \/tmp\/portage\/media-libs\/jasper-1.900.10\/work\/jasper-1.900.10\/src\/libjasper\/base\/jas_image.c:392:16\r\n    #10 0x4f1686 in main \/tmp\/portage\/media-libs\/jasper-1.900.10\/work\/jasper-1.900.10\/src\/appl\/imginfo.c:188:16\r\n    #11 0x7faeedbd361f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #12 0x418e68 in _init (\/usr\/bin\/imginfo+0x418e68)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_atomic_clang.h:81 in atomic_compare_exchange_strong\r\n==20885==ABORTING\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n1.900.10<\/p>\n
Fixed version:<\/strong>
\n1.900.13<\/p>\n
Commit fix:<\/strong>
\nhttps:\/\/github.com\/mdadams\/jasper\/commit\/bdfe95a6e81ffb4b2fad31a76b57943695beed20<\/a><\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n
CVE:<\/strong>
\nCVE-2016-10250<\/p>\n
Reproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00002-jasper-NULLptr-jp2_colr_destroy<\/a><\/p>\n
Timeline:<\/strong>
\n2016-10-22: bug re-discovered
\n2016-10-22: bug re-reported to upstream
\n2016-10-23: blog post about the issue
\n2016-10-23: upstream released a patch and 1.900.13
\n2017-03-12: CVE assigned<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
jasper: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (incomplete fix for CVE-2016-8887)<\/a><\/p><\/blockquote>\n