{"id":833,"date":"2016-11-04T16:41:45","date_gmt":"2016-11-04T14:41:45","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=833"},"modified":"2017-03-13T12:39:23","modified_gmt":"2017-03-13T10:39:23","slug":"jasper-use-of-uninitialized-value-in-jpc_pi_nextcprl-jpc_t2cod-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/11\/04\/jasper-use-of-uninitialized-value-in-jpc_pi_nextcprl-jpc_t2cod-c\/","title":{"rendered":"jasper: use of uninitialized value in jpc_pi_nextcprl (jpc_t2cod.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/www.ece.uvic.ca\/~frodo\/jasper\/\">jasper<\/a> is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.<\/p>\n<p>I decided to try another round of fuzzing with the Memory Sanitizer enabled, and I discovered that there is an use-of-uninitialized-value in jpc_pi_nextcprl<\/p>\n<p>The complete MSan output:<\/p>\n<pre><font size=\"2\"># imginfo -f $FILE\r\nwarning: trailing garbage in marker segment (14 bytes)                                                                                                                                                                                                                         \r\nwarning: trailing garbage in marker segment (14 bytes)                                                                                                                                                                                                                         \r\nwarning: ignoring unknown marker segment                                                                                                                                                                                                                                       \r\ntype = 0xff41 (UNKNOWN); len = 20;01 87 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 warning: trailing garbage in marker segment (14 bytes)                                                                                                                                 \r\n==7937==WARNING: MemorySanitizer: use-of-uninitialized-value                                                                                                                                                                                                                   \r\n    #0 0x7fc562323907 in jpc_pi_nextcprl \/tmp\/portage\/media-libs\/jasper-1.900.17\/work\/jasper-1.900.17\/src\/libjasper\/jpc\/jpc_t2cod.c:482:12                                                                                                                                     \r\n    #1 0x7fc562323907 in jpc_pi_next \/tmp\/portage\/media-libs\/jasper-1.900.17\/work\/jasper-1.900.17\/src\/libjasper\/jpc\/jpc_t2cod.c:125                                                                                                                                            \r\n    #2 0x7fc56232aadc in jpc_dec_decodepkts \/tmp\/portage\/media-libs\/jasper-1.900.17\/work\/jasper-1.900.17\/src\/libjasper\/jpc\/jpc_t2dec.c:441:14                                                                                                                                  \r\n    #3 0x7fc5621fa9f1 in jpc_dec_process_sod \/tmp\/portage\/media-libs\/jasper-1.900.17\/work\/jasper-1.900.17\/src\/libjasper\/jpc\/jpc_dec.c:594:6                                                                                                                                    \r\n    #4 0x7fc56220c574 in jpc_dec_decode \/tmp\/portage\/media-libs\/jasper-1.900.17\/work\/jasper-1.900.17\/src\/libjasper\/jpc\/jpc_dec.c:391:10                                                                                                                                        \r\n    #5 0x7fc56220c574 in jpc_decode \/tmp\/portage\/media-libs\/jasper-1.900.17\/work\/jasper-1.900.17\/src\/libjasper\/jpc\/jpc_dec.c:255                                                                                                                                               \r\n    #6 0x7fc5621ac5a4 in jp2_decode \/tmp\/portage\/media-libs\/jasper-1.900.17\/work\/jasper-1.900.17\/src\/libjasper\/jp2\/jp2_dec.c:215:21                                                                                                                                            \r\n    #7 0x7fc5620d69d1 in jas_image_decode \/tmp\/portage\/media-libs\/jasper-1.900.17\/work\/jasper-1.900.17\/src\/libjasper\/base\/jas_image.c:396:16                                                                                                                                   \r\n    #8 0x557bb7618831 in main \/tmp\/portage\/media-libs\/jasper-1.900.17\/work\/jasper-1.900.17\/src\/appl\/imginfo.c:203:16                                                                                                                                                           \r\n    #9 0x7fc5611e961f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289                                                                                                                                                        \r\n    #10 0x557bb7599a28 in _init (\/usr\/bin\/imginfo+0x1aa28)                                                                                                                                                                                                                     \r\n                                                                                                                                                                                                                                                                               \r\n  Uninitialized value was created by a heap allocation                                                                                                                                                                                                                         \r\n    #0 0x557bb75bf639 in malloc \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/msan\/msan_interceptors.cc:1002                                                                                                                           \r\n    #1 0x7fc5621507d4 in jas_malloc \/tmp\/portage\/media-libs\/jasper-1.900.17\/work\/jasper-1.900.17\/src\/libjasper\/base\/jas_malloc.c:148:13                                                                                                                                        \r\n    #2 0x7fc562152520 in jas_alloc2 \/tmp\/portage\/media-libs\/jasper-1.900.17\/work\/jasper-1.900.17\/src\/libjasper\/base\/jas_malloc.c:275:9                                                                                                                                         \r\n    #3 0x7fc56233360c in jpc_dec_pi_create \/tmp\/portage\/media-libs\/jasper-1.900.17\/work\/jasper-1.900.17\/src\/libjasper\/jpc\/jpc_t2dec.c:506:30                                                                                                                                   \r\n    #4 0x7fc5621f2c71 in jpc_dec_tileinit \/tmp\/portage\/media-libs\/jasper-1.900.17\/work\/jasper-1.900.17\/src\/libjasper\/jpc\/jpc_dec.c:911:19                                                                                                                                      \r\n    #5 0x7fc5621f2c71 in jpc_dec_process_sod \/tmp\/portage\/media-libs\/jasper-1.900.17\/work\/jasper-1.900.17\/src\/libjasper\/jpc\/jpc_dec.c:560                                                                                                                                      \r\n    #6 0x7fc56220c574 in jpc_dec_decode \/tmp\/portage\/media-libs\/jasper-1.900.17\/work\/jasper-1.900.17\/src\/libjasper\/jpc\/jpc_dec.c:391:10                                                                                                                                        \r\n    #7 0x7fc56220c574 in jpc_decode \/tmp\/portage\/media-libs\/jasper-1.900.17\/work\/jasper-1.900.17\/src\/libjasper\/jpc\/jpc_dec.c:255                                                                                                                                               \r\n    #8 0x7fc5621ac5a4 in jp2_decode \/tmp\/portage\/media-libs\/jasper-1.900.17\/work\/jasper-1.900.17\/src\/libjasper\/jp2\/jp2_dec.c:215:21                                                                                                                                            \r\n    #9 0x7fc5620d69d1 in jas_image_decode \/tmp\/portage\/media-libs\/jasper-1.900.17\/work\/jasper-1.900.17\/src\/libjasper\/base\/jas_image.c:396:16                                                                                                                                   \r\n    #10 0x557bb7618831 in main \/tmp\/portage\/media-libs\/jasper-1.900.17\/work\/jasper-1.900.17\/src\/appl\/imginfo.c:203:16                                                                                                                                                          \r\n    #11 0x7fc5611e961f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289                                                                                                                                                       \r\n                                                                                                                                                                                                                                                                               \r\nSUMMARY: MemorySanitizer: use-of-uninitialized-value \/tmp\/portage\/media-libs\/jasper-1.900.17\/work\/jasper-1.900.17\/src\/libjasper\/jpc\/jpc_t2cod.c:482:12 in jpc_pi_nextcprl                                                                                                      \r\nExiting\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n1.900.17<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\n1.900.20<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/mdadams\/jasper\/commit\/1f0dfe5a42911b6880a1445f13f6d615ddb55387\">https:\/\/github.com\/mdadams\/jasper\/commit\/1f0dfe5a42911b6880a1445f13f6d615ddb55387<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2016-10251<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00029-jasper-uninitvalue-jpc_pi_nextcprl\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00029-jasper-uninitvalue-jpc_pi_nextcprl<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2016-11-03: bug discovered and reported to upstream<br \/>\n2016-11-04: upstream released a patch<br \/>\n2016-11-04: blog post about the issue<br \/>\n2017-03-12: CVE assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"ZkgmGJMK9i\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2016\/11\/04\/jasper-use-of-uninitialized-value-in-jpc_pi_nextcprl-jpc_t2cod-c\/\">jasper: use of uninitialized value in jpc_pi_nextcprl (jpc_t2cod.c)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2016\/11\/04\/jasper-use-of-uninitialized-value-in-jpc_pi_nextcprl-jpc_t2cod-c\/embed\/#?secret=ZkgmGJMK9i\" data-secret=\"ZkgmGJMK9i\" width=\"600\" height=\"338\" title=\"&#8220;jasper: use of uninitialized value in jpc_pi_nextcprl (jpc_t2cod.c)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard. I decided to try another round of fuzzing with the Memory Sanitizer enabled, and I discovered that there &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2016\/11\/04\/jasper-use-of-uninitialized-value-in-jpc_pi_nextcprl-jpc_t2cod-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-dr","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/833"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=833"}],"version-history":[{"count":6,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/833\/revisions"}],"predecessor-version":[{"id":1471,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/833\/revisions\/1471"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=833"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=833"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=833"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}