Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 13 Jan 2016 03:54:55 +0000
From: limingxing <limingxing@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Out-of-bounds Read in the JasPer's jpc_pi_nextcprl() function


Hello,
We find a vulnerability in the way JasPer's jpc_pi_nextcprl() function parsed certain JPEG 2000 image files.
I was successful in reproducing this issuel in the jasper-1.900.1-31.fc23.src.
The gdb info was:
Starting program: ./jasper-1.900.1-31.fc23.src/jasper-1.900.1/src/appl/jasper -f ./jasper_poc/poc.jp2 -F temp.bmp -t jp2 -T bmp
warning: trailing garbage in marker segment (6 bytes)

Program received signal SIGSEGV, Segmentation fault.
jpc_pi_nextcprl (pi=0x80a4ab0) at jpc_t2cod.c:435
435			pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn +
(gdb) bt
#0  jpc_pi_nextcprl (pi=0x80a4ab0) at jpc_t2cod.c:435
#1  jpc_pi_next (pi=pi@...ry=0x80a4ab0) at jpc_t2cod.c:125
#2  0x08062d85 in jpc_dec_decodepkts (dec=dec@...ry=0x809a5b8, 
    pkthdrstream=0x8096308, in=0x8096308) at jpc_t2dec.c:441
#3  0x0806202a in jpc_dec_process_sod (dec=0x809a5b8, ms=0x0) at jpc_dec.c:591
#4  0x0806158d in jpc_dec_decode (dec=0x809a5b8) at jpc_dec.c:390
#5  jpc_decode (in=in@...ry=0x8096308, optstr=optstr@...ry=0x0)
    at jpc_dec.c:254
#6  0x08056627 in jp2_decode (in=0x8096308, optstr=0x0) at jp2_dec.c:215
#7  0x08051a28 in jas_image_decode (in=in@...ry=0x8096308, 
    fmt=<optimized out>, optstr=0x0) at jas_image.c:379
#8  0x08048f19 in main (argc=9, argv=0xbffff094) at jasper.c:229


This vulnerability was found by Qihoo 360 Codesafe Team
[ CONTENT OF TYPE application/octet-stream SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ