security bug in jasper
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
jasper (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
1) Invalid pointer access Bug in jas_matrix_asl
mov rax, [rbp+var_10]
mov rax, [rax] // invalid memory access
https:/
Here pointer 'data' is corrupted and while trying to access it's value application crashes.
while ( v4 > 0 )
{
v5 = *(_QWORD *)(a1 + 48);
v7 = v6;
while ( v5 > 0 )
{
*v7 = jas_fast32_asl(*v7, a2); // here pointer v7 is not validated
--v5;
++v7;
}
2) Invalid pointer access Bug in jpc_undo_roi
Invalid memory access bug in line jpc_dec.c (https:/
for ( i = 0; (signed __int64)i < *(_QWORD *)(a1 + 40); ++i )
{
for ( j = 0; (signed __int64)j < *(_QWORD *)(a1 + 48); ++j )
{
v15 = *(_QWORD *)(8LL * j + *(_QWORD *)(8LL * i + *(_QWORD *)(a1 + 56))); // crashing here
v12 = (v15 ^ (v15 >> 63)) - (v15 >> 63);
if ( 1 << v8 > v12 )
All these 2 bugs were found while extensive file format fuzzing and research done on the libjasper library.
From the quick checking I found that the address of access can be controlled by crafting jp2 image bit stream. Crash samples attached.
Please issue CVEs and fix these issues at the earliest.
information type: | Private Security → Public Security |
Changed in jasper (Ubuntu): | |
status: | New → Confirmed |
Can you please file these issues with upstream?
https:/ /github. com/mdadams/ jasper/ blob/master/ README
Once you've filed the reports, please add the links here.
Thanks