Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Jan 2016 03:04:17 +0000
From: limingxing <limingxing@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: invalid Read in the JasPer's jas_matrix_clip() function


Hello,
We find another vulnerability in the way JasPer's jas_matrix_clip() function parsed certain JPEG 2000 image files.
I was successful in reproducing this issuel in the jasper-1.900.1-31.fc23.src.
The gdb info was:
Starting program: ./jasper-1.900.1-31.fc23.src/jasper-1.900.1/src/appl/jasper -f ./jasper_poc/poc.jp2 -F temp.out -t jp2 -T bmp

Program received signal SIGSEGV, Segmentation fault.
0x0805604b in jas_matrix_clip (matrix=0x8bc42f0, minval=0, maxval=255)
    at jas_seq.c:286
286		for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
(gdb) bt
#0  0x0805604b in jas_matrix_clip (matrix=0x8bc42f0, minval=0, maxval=255)
    at jas_seq.c:286
#1  0x08066af5 in jpc_dec_tiledecode (dec=0x81a05b8, tile=0xb785c008)
    at jpc_dec.c:1117
#2  0x08064e7f in jpc_dec_process_sod (dec=0x81a05b8, ms=0x81a0628)
    at jpc_dec.c:621
#3  0x080647f4 in jpc_dec_decode (dec=0x81a05b8) at jpc_dec.c:390
#4  0x0806450f in jpc_decode (in=0x819c308, optstr=0x0) at jpc_dec.c:254
#5  0x08058e5e in jp2_decode (in=0x819c308, optstr=0x0) at jp2_dec.c:215
#6  0x08052ba9 in jas_image_decode (in=0x819c308, fmt=4, optstr=0x0)
    at jas_image.c:379
#7  0x08049158 in main (argc=9, argv=0xbffff094) at jasper.c:229


This vulnerability was found by Qihoo 360 Codesafe Team
Download attachment "jasper_poc.zip" of type "application/octet-stream" (1097 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.