Date: Thu, 28 Jan 2016 03:04:17 +0000 From: limingxing <limingxing@....cn> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: invalid Read in the JasPer's jas_matrix_clip() function Hello, We find another vulnerability in the way JasPer's jas_matrix_clip() function parsed certain JPEG 2000 image files. I was successful in reproducing this issuel in the jasper-1.900.1-31.fc23.src. The gdb info was: Starting program: ./jasper-1.900.1-31.fc23.src/jasper-1.900.1/src/appl/jasper -f ./jasper_poc/poc.jp2 -F temp.out -t jp2 -T bmp Program received signal SIGSEGV, Segmentation fault. 0x0805604b in jas_matrix_clip (matrix=0x8bc42f0, minval=0, maxval=255) at jas_seq.c:286 286 for (i = matrix->numrows_, rowstart = matrix->rows_; i > 0; --i, (gdb) bt #0 0x0805604b in jas_matrix_clip (matrix=0x8bc42f0, minval=0, maxval=255) at jas_seq.c:286 #1 0x08066af5 in jpc_dec_tiledecode (dec=0x81a05b8, tile=0xb785c008) at jpc_dec.c:1117 #2 0x08064e7f in jpc_dec_process_sod (dec=0x81a05b8, ms=0x81a0628) at jpc_dec.c:621 #3 0x080647f4 in jpc_dec_decode (dec=0x81a05b8) at jpc_dec.c:390 #4 0x0806450f in jpc_decode (in=0x819c308, optstr=0x0) at jpc_dec.c:254 #5 0x08058e5e in jp2_decode (in=0x819c308, optstr=0x0) at jp2_dec.c:215 #6 0x08052ba9 in jas_image_decode (in=0x819c308, fmt=4, optstr=0x0) at jas_image.c:379 #7 0x08049158 in main (argc=9, argv=0xbffff094) at jasper.c:229 This vulnerability was found by Qihoo 360 Codesafe Team Download attachment "jasper_poc.zip" of type "application/octet-stream" (1097 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.