Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 6 Mar 2017 09:06:00 +0100
From: Emilio Pozuelo Monfort <>
Subject: Re: CVE-Request JasPer 2.0.12 NULL Pointer Dereference
 jp2_encode (jp2_enc.c)

On 06/03/17 03:16, Anthony Sasadeusz wrote:
> admin@...172-31-13-10:~/jasper/build-asan/src/appl$ ./jasper --input
> ../../../build-afl/src/appl/findings/crashes/id\:000000\,sig\:11\,src\:000002\,op\:havoc\,rep\:16
> --output /dev/null --output-format jp2
> =================================================================
> ==16088==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
> (pc 0x7f45f3104fe6 sp 0x7ffcd24052c0 bp 0x7ffcd24063d0 T0)
>     #0 0x7f45f3104fe5 in jp2_encode
> /home/admin/jasper/src/libjasper/jp2/jp2_enc.c:119
>     #1 0x7f45f30de187 in jas_image_encode
> /home/admin/jasper/src/libjasper/base/jas_image.c:471
>     #2 0x402494 in main /home/admin/jasper/src/appl/jasper.c:277
>     #3 0x7f45f2a1eb44 in __libc_start_main
> (/lib/x86_64-linux-gnu/
>     #4 0x401908 (/home/admin/jasper/build-asan/src/appl/jasper+0x401908)
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV
> /home/admin/jasper/src/libjasper/jp2/jp2_enc.c:119 jp2_encode
> ==16088==ABORTING
> This also happens on the latest master branch.
> The repo:
> Crashing inputs found with afl:

You should request CVEs at these days.

Also it'd be good if you opened an upstream bug report about this.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.