'[oss-security] Multiple memory corruptions caused by uninitialized values in JasPer 1.900'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Multiple memory corruptions caused by uninitialized values in JasPer 1.900
From:       Gustavo Grieco <gustavo.grieco () gmail ! com>
Date:       2015-08-26 21:01:28
Message-ID: CACn5sdTXNGv3CMY6zWws_7GLPoC2Ep5RO0ogdc9PZOsxuxEmXg () mail ! gmail ! com
[Download RAW message or body]


Hi,

Following Raphael's advice, i found some memory corruptions in JasPer 1.900
after a quick round of fuzzing of the regression tests of Openjpeg. A few
interesting test cases are available here:

https://zimbra.imag.fr/home/gustavo.grieco@imag.fr/Briefcase/Public/cases.tar.gz

They are compressed to avoid easily crash programs like Nautilus and
Firefox. All them can be verified using:

jasper --input $filename --output-format pnm

(tested in Ubuntu 14.04, 32-bit but it should work in other configurations)

Additionally. sigsegv.jp2 crashes most of the programs using gdk-pixbuf
like Firefox and Chrome (!). I report them this issue a few days ago and
advise them to disable preview of jpeg images since Jasper is unmaintained
and vulnerable. Mozilla developers are working hard trying to find a
workaround to avoid use vulnerable code.
On the other hand, Chromium developers dismissed this issue saying that
they will wait the "upstream fix".

I think the cause of such memory corruptions is uninitialized values, taken
from the heap, as valgrind reports:


==15417== Memcheck, a memory error detector
==15417== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==15417== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright
info
==15417== Command: jasper --input sigsegv.jp2 --output-format pnm
==15417==
==15417== Conditional jump or move depends on uninitialised value(s)
==15417==    at 0x405EE3F: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x405F110: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x405E6FC: jpc_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x4057805: jp2_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x404BDAB: jas_image_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x8048D78: ??? (in /usr/bin/jasper)
==15417==    by 0x40B1A82: (below main) (libc-start.c:287)
==15417==  Uninitialised value was created by a heap allocation
==15417==    at 0x402A17C: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==15417==    by 0x405127A: jas_malloc (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x4051323: jas_alloc2 (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x405C926: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x405E6FC: jpc_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x4057805: jp2_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x404BDAB: jas_image_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x8048D78: ??? (in /usr/bin/jasper)
==15417==    by 0x40B1A82: (below main) (libc-start.c:287)
==15417==
==15417== Conditional jump or move depends on uninitialised value(s)
==15417==    at 0x405F06C: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x405F110: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x405E6FC: jpc_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x4057805: jp2_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x404BDAB: jas_image_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x8048D78: ??? (in /usr/bin/jasper)
==15417==    by 0x40B1A82: (below main) (libc-start.c:287)
==15417==  Uninitialised value was created by a heap allocation
==15417==    at 0x402A17C: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==15417==    by 0x405127A: jas_malloc (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x4051323: jas_alloc2 (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x405C826: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x405E6FC: jpc_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x4057805: jp2_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x404BDAB: jas_image_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x8048D78: ??? (in /usr/bin/jasper)
==15417==    by 0x40B1A82: (below main) (libc-start.c:287)
==15417==

Regards,
Gustavo.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic