Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 20 Aug 2015 11:08:44 +0200
From: FEIST Josselin <josselin.feist@...il.com>
To: oss-security@...ts.openwall.com
Subject: Use-after-free (and double-free) in Jasper JPEG-200 (CVE-2015-5221)

Hi,

A new use-after-free was found in Jasper JPEG-200.

The use-after-free appears in the function mif_process_cmpt of the src/libjasper/mif/mif_cod.c file. Both tvp and tvp->buf are freed by jas_tvparser_destroy(tvp) (line 572), but if one of the two following branch conditions is taken (line 573/576), a second call to jas_tvparser_destroy(tvp) occurs (line 586). It is a use-after-free because before calling free in jas_tvparser_destroy there is a check to tvp->buf, while tvp could have been freed. Two double free take place just after this check (on tvp->buf and tvp). A simple fix  should be to move the first call of jas_tvparser_destroy after the two branch conditions (or set tvp to NULL after it has been freed in mif_process_cmpt).

The vulnerability was found by a static binary analysis using the tool gueb (that will become open-source soon).

Since another double-free in this library was found recently (http://seclists.org/oss-sec/2015/q3/366), maybe a patch could fix both of them ?

Best regards,
Feist Josselin


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ