oss-sec mailing list archives
Out-of-bounds Read in the JasPer's jpc_pi_nextcprl() function
From: limingxing <limingxing () 360 cn>
Date: Wed, 13 Jan 2016 03:54:55 +0000
Hello, We find a vulnerability in the way JasPer's jpc_pi_nextcprl() function parsed certain JPEG 2000 image files. I was successful in reproducing this issuel in the jasper-1.900.1-31.fc23.src. The gdb info was: Starting program: ./jasper-1.900.1-31.fc23.src/jasper-1.900.1/src/appl/jasper -f ./jasper_poc/poc.jp2 -F temp.bmp -t jp2 -T bmp warning: trailing garbage in marker segment (6 bytes) Program received signal SIGSEGV, Segmentation fault. jpc_pi_nextcprl (pi=0x80a4ab0) at jpc_t2cod.c:435 435 pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn + (gdb) bt #0 jpc_pi_nextcprl (pi=0x80a4ab0) at jpc_t2cod.c:435 #1 jpc_pi_next (pi=pi@entry=0x80a4ab0) at jpc_t2cod.c:125 #2 0x08062d85 in jpc_dec_decodepkts (dec=dec@entry=0x809a5b8, pkthdrstream=0x8096308, in=0x8096308) at jpc_t2dec.c:441 #3 0x0806202a in jpc_dec_process_sod (dec=0x809a5b8, ms=0x0) at jpc_dec.c:591 #4 0x0806158d in jpc_dec_decode (dec=0x809a5b8) at jpc_dec.c:390 #5 jpc_decode (in=in@entry=0x8096308, optstr=optstr@entry=0x0) at jpc_dec.c:254 #6 0x08056627 in jp2_decode (in=0x8096308, optstr=0x0) at jp2_dec.c:215 #7 0x08051a28 in jas_image_decode (in=in@entry=0x8096308, fmt=<optimized out>, optstr=0x0) at jas_image.c:379 #8 0x08048f19 in main (argc=9, argv=0xbffff094) at jasper.c:229 This vulnerability was found by Qihoo 360 Codesafe Team
Attachment:
jasper_poc.zip
Description: jasper_poc.zip
Current thread:
- Out-of-bounds Read in the JasPer's jpc_pi_nextcprl() function limingxing (Jan 12)
- Re: Out-of-bounds Read in the JasPer's jpc_pi_nextcprl() function cve-assign (Jan 13)