This repository has been archived by the owner on Jul 29, 2020. It is now read-only.
Lots of CVE fixes #38
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes CVE-2017-5503, CVE-2017-5504, CVE-2017-5505, Closes #3 Closes #4 Closes #5 Closes jasper-software/jasper#88 Closes jasper-software/jasper#89 Closes jasper-software/jasper#90
Fixes CVE-2018-19139 (memory leak) Closes #14
Fixes memory leak when the decoder finishes (or fails) but no "SOT" segment has been processed.
|
libFuzzer keeps finding new bugs. This is bad! |
This was
linked to
issues
Jun 28, 2020
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
When iterating over `dec->cdef->data.cdef.ents`, we need to use its `numchans` variable, not the one in `jp2_dec_t`. Fixes CVE-2018-19543 Fixes CVE-2017-9782 Closes #13 Closes #18 Closes jasper-software/jasper#140 Closes jasper-software/jasper#182
PoC file is a MIF image with no components, which causes a NULL pointer dereference or heap buffer overflow when reading informationa about the first component. Fixes CVE-2017-14132 Closes #17
According to the specification A.5.1 Table A-11, the component bit depth can be at most 38. Fixes CVE-2017-5499 (integer overflow) Closes #2 Closes jasper-software/jasper#63
Better than crashing.
By using height==0, the width can exceed the configured max_samples setting allows attackers to cause gigabytes of memory allocations.
Prevent yet another out-of-memory vulnerability.
…ni() If jpc_dec_tileinit() fails, the `bands` variable is left uninitialized, so jpc_dec_tilefini() attempts to free an arbitrary pointer, crashing the application.
Make the buffer "unsigned" and cast each byte to an unsigned 32 bit integer before shifting. This fixes the following UBSan warnings: left shift of negative value X left shift of X by 24 places cannot be represented in type 'int'
Closed
|
This PR fixes all pending bug reports and CVEs (plus many more bugs found by libFuzzer in the past few days). |
This was referenced Jun 28, 2020
Cropping cannot work. Either we need to ignore and skip all data, or bail out. But cropping the size and pretending everything is ok will fail the next box.
jas_stream_copy() gets an `int` as size parameter, so large box sizes will result in a negative value, which is (surprisingly) a legal parameter value for jas_stream_copy().
|
Awesome work! @MaxKellermann do you plan to push more to this branch or can I review? |
|
Review & merge any time. |
Closed
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.