Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 28 Jan 2016 03:04:17 +0000
From: limingxing <limingxing@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: invalid Read in the JasPer's jas_matrix_clip() function


Hello,
We find another vulnerability in the way JasPer's jas_matrix_clip() function parsed certain JPEG 2000 image files.
I was successful in reproducing this issuel in the jasper-1.900.1-31.fc23.src.
The gdb info was:
Starting program: ./jasper-1.900.1-31.fc23.src/jasper-1.900.1/src/appl/jasper -f ./jasper_poc/poc.jp2 -F temp.out -t jp2 -T bmp

Program received signal SIGSEGV, Segmentation fault.
0x0805604b in jas_matrix_clip (matrix=0x8bc42f0, minval=0, maxval=255)
    at jas_seq.c:286
286		for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
(gdb) bt
#0  0x0805604b in jas_matrix_clip (matrix=0x8bc42f0, minval=0, maxval=255)
    at jas_seq.c:286
#1  0x08066af5 in jpc_dec_tiledecode (dec=0x81a05b8, tile=0xb785c008)
    at jpc_dec.c:1117
#2  0x08064e7f in jpc_dec_process_sod (dec=0x81a05b8, ms=0x81a0628)
    at jpc_dec.c:621
#3  0x080647f4 in jpc_dec_decode (dec=0x81a05b8) at jpc_dec.c:390
#4  0x0806450f in jpc_decode (in=0x819c308, optstr=0x0) at jpc_dec.c:254
#5  0x08058e5e in jp2_decode (in=0x819c308, optstr=0x0) at jp2_dec.c:215
#6  0x08052ba9 in jas_image_decode (in=0x819c308, fmt=4, optstr=0x0)
    at jas_image.c:379
#7  0x08049158 in main (argc=9, argv=0xbffff094) at jasper.c:229


This vulnerability was found by Qihoo 360 Codesafe Team
Download attachment "jasper_poc.zip" of type "application/octet-stream" (1097 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.