New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NULL pointer dereference was discovered #184

Closed

YourButterfly opened this issue Oct 31, 2018 · 4 comments

YourButterfly commented Oct 31, 2018 •

edited

Loading

An issue was discovered in Jasper 2.0.14. There is a NULL pointer dereference at function ras_putdatastd

In file: /home/pwd/fuzz/fuzz-jasper/jenkins/jasper/src/libjasper/ras/ras_enc.c
   259 		nz = 0;
   260 		for (x = 0; x < hdr->width; x++) {
   261 			z <<= hdr->depth;
   262 			if (RAS_ISRGB(hdr)) {
   263 				v = RAS_RED((jas_matrix_getv(data[0], x))) |
 ► 264 				  RAS_GREEN((jas_matrix_getv(data[1], x))) |
   265 				  RAS_BLUE((jas_matrix_getv(data[2], x)));
   266 			} else {
   267 				v = (jas_matrix_getv(data[0], x));
   268 			}
   269 			z |= v & RAS_ONES(hdr->depth);

// Program received signal SIGSEGV (fault address 0x28)
// pwndbg> p data[1]
// $16 = (jas_matrix_t *) 0x0
// pwndbg> p data
// $17 = {0x6080000081a0, 0x0, 0x0}

At the site of data define , the value of "numcmpts" is 1

	for (i = 0; i < numcmpts; ++i) {
		if (!(data[i] = jas_matrix_create(jas_image_height(image),
		  jas_image_width(image)))) {
			goto error;
		}
	}

command line

./jasper  --input-format jpc --output /dev/null --output-format ras --input poc

The text was updated successfully, but these errors were encountered:

carnil commented Oct 31, 2018

CVE-2018-18873 was assigned for this issue.

apoleon commented Jan 3, 2019

The data array contains a NULL pointer. A perhaps too simplistic solution could be to check whether this is the case and then either continue or goto error. At least it mitigates against this issue.

https://gist.github.com/apoleon/eb4e396b510f2bb5a925660dab09be79

Author

YourButterfly commented Jan 4, 2019

cool work @apoleon

jubalh mentioned this issue

CVE-2018-18873 jasper-maint/jasper#15

Closed

Contributor

MaxKellermann commented Jun 28, 2020

Since this project has been mostly dead for several years, we created a fork which aims to fix all vulnerabilities (of which there are many).
This bug will be fixed by jasper-maint/jasper#38 (merge pending)

jubalh closed this as completed in

12db807

jubalh added a commit to jubalh/buildroot that referenced this issue


          Update Jasper to 2.0.19

3c4f2bc

Changes:
* Fix CVE-2018-9154
  jasper-software/jasper#215
  jasper-software/jasper#166
  jasper-software/jasper#175
  jasper-maint/jasper#8

* Fix CVE-2018-19541
  jasper-software/jasper#199
  jasper-maint/jasper#6

* Fix CVE-2016-9399, CVE-2017-13751
  jasper-maint/jasper#1

* Fix CVE-2018-19540
  jasper-software/jasper#182
  jasper-maint/jasper#22

* Fix CVE-2018-9055
  jasper-maint/jasper#9

* Fix CVE-2017-13748
  jasper-software/jasper#168

* Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505
  jasper-maint/jasper#3
  jasper-maint/jasper#4
  jasper-maint/jasper#5
  jasper-software/jasper#88
  jasper-software/jasper#89
  jasper-software/jasper#90

* Fix CVE-2018-9252
  jasper-maint/jasper#16

* Fix CVE-2018-19139
  jasper-maint/jasper#14

* Fix CVE-2018-19543, CVE-2017-9782
  jasper-maint/jasper#13
  jasper-maint/jasper#18
  jasper-software/jasper#140
  jasper-software/jasper#182

* Fix CVE-2018-20570
  jasper-maint/jasper#11
  jasper-software/jasper#191

* Fix CVE-2018-20622
  jasper-maint/jasper#12
  jasper-software/jasper#193

* Fix CVE-2016-9398
  jasper-maint/jasper#10

* Fix CVE-2017-14132
  jasper-maint/jasper#17

* Fix CVE-2017-5499
  jasper-maint/jasper#2
  jasper-software/jasper#63

* Fix CVE-2018-18873
  jasper-maint/jasper#15
  jasper-software/jasper#184

* Fix jasper-software/jasper#207

* Fix jasper-software/jasper#194 part 1

* Fix CVE-2017-13750
  jasper-software/jasper#165
  jasper-software/jasper#174

* New option -DJAS_ENABLE_HIDDEN=true to not export internal symbols in the public symbol table

* Fix various memory leaks

* Plenty of code cleanups, and performance improvements

buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue


          package/jasper: security bump to version 2.0.19

d0f7b24

Fixes the following security issues:
* Fix CVE-2018-9154
  jasper-software/jasper#215
  jasper-software/jasper#166
  jasper-software/jasper#175
  jasper-maint/jasper#8

* Fix CVE-2018-19541
  jasper-software/jasper#199
  jasper-maint/jasper#6

* Fix CVE-2016-9399, CVE-2017-13751
  jasper-maint/jasper#1

* Fix CVE-2018-19540
  jasper-software/jasper#182
  jasper-maint/jasper#22

* Fix CVE-2018-9055
  jasper-maint/jasper#9

* Fix CVE-2017-13748
  jasper-software/jasper#168

* Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505
  jasper-maint/jasper#3
  jasper-maint/jasper#4
  jasper-maint/jasper#5
  jasper-software/jasper#88
  jasper-software/jasper#89
  jasper-software/jasper#90

* Fix CVE-2018-9252
  jasper-maint/jasper#16

* Fix CVE-2018-19139
  jasper-maint/jasper#14

* Fix CVE-2018-19543, CVE-2017-9782
  jasper-maint/jasper#13
  jasper-maint/jasper#18
  jasper-software/jasper#140
  jasper-software/jasper#182

* Fix CVE-2018-20570
  jasper-maint/jasper#11
  jasper-software/jasper#191

* Fix CVE-2018-20622
  jasper-maint/jasper#12
  jasper-software/jasper#193

* Fix CVE-2016-9398
  jasper-maint/jasper#10

* Fix CVE-2017-14132
  jasper-maint/jasper#17

* Fix CVE-2017-5499
  jasper-maint/jasper#2
  jasper-software/jasper#63

* Fix CVE-2018-18873
  jasper-maint/jasper#15
  jasper-software/jasper#184

* Fix CVE-2017-13750
  jasper-software/jasper#165
  jasper-software/jasper#174

Furthermore, drop now upstreamed patches and change to the new
jasper-software upstream location.

Signed-off-by: Michael Vetter <[email protected]>
[Peter: reword for security bump]
Signed-off-by: Peter Korsgaard <[email protected]>

woodsts pushed a commit to woodsts/buildroot that referenced this issue


          package/jasper: security bump to version 2.0.19

5a9d409

Fixes the following security issues:
* Fix CVE-2018-9154
  jasper-software/jasper#215
  jasper-software/jasper#166
  jasper-software/jasper#175
  jasper-maint/jasper#8

* Fix CVE-2018-19541
  jasper-software/jasper#199
  jasper-maint/jasper#6

* Fix CVE-2016-9399, CVE-2017-13751
  jasper-maint/jasper#1

* Fix CVE-2018-19540
  jasper-software/jasper#182
  jasper-maint/jasper#22

* Fix CVE-2018-9055
  jasper-maint/jasper#9

* Fix CVE-2017-13748
  jasper-software/jasper#168

* Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505
  jasper-maint/jasper#3
  jasper-maint/jasper#4
  jasper-maint/jasper#5
  jasper-software/jasper#88
  jasper-software/jasper#89
  jasper-software/jasper#90

* Fix CVE-2018-9252
  jasper-maint/jasper#16

* Fix CVE-2018-19139
  jasper-maint/jasper#14

* Fix CVE-2018-19543, CVE-2017-9782
  jasper-maint/jasper#13
  jasper-maint/jasper#18
  jasper-software/jasper#140
  jasper-software/jasper#182

* Fix CVE-2018-20570
  jasper-maint/jasper#11
  jasper-software/jasper#191

* Fix CVE-2018-20622
  jasper-maint/jasper#12
  jasper-software/jasper#193

* Fix CVE-2016-9398
  jasper-maint/jasper#10

* Fix CVE-2017-14132
  jasper-maint/jasper#17

* Fix CVE-2017-5499
  jasper-maint/jasper#2
  jasper-software/jasper#63

* Fix CVE-2018-18873
  jasper-maint/jasper#15
  jasper-software/jasper#184

* Fix CVE-2017-13750
  jasper-software/jasper#165
  jasper-software/jasper#174

Furthermore, drop now upstreamed patches and change to the new
jasper-software upstream location.

Signed-off-by: Michael Vetter <[email protected]>
[Peter: reword for security bump]
Signed-off-by: Peter Korsgaard <[email protected]>
(cherry picked from commit d0f7b24)
Signed-off-by: Peter Korsgaard <[email protected]>

woodsts pushed a commit to woodsts/buildroot that referenced this issue


          package/jasper: security bump to version 2.0.19

dc10b2e

Fixes the following security issues:
* Fix CVE-2018-9154
  jasper-software/jasper#215
  jasper-software/jasper#166
  jasper-software/jasper#175
  jasper-maint/jasper#8

* Fix CVE-2018-19541
  jasper-software/jasper#199
  jasper-maint/jasper#6

* Fix CVE-2016-9399, CVE-2017-13751
  jasper-maint/jasper#1

* Fix CVE-2018-19540
  jasper-software/jasper#182
  jasper-maint/jasper#22

* Fix CVE-2018-9055
  jasper-maint/jasper#9

* Fix CVE-2017-13748
  jasper-software/jasper#168

* Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505
  jasper-maint/jasper#3
  jasper-maint/jasper#4
  jasper-maint/jasper#5
  jasper-software/jasper#88
  jasper-software/jasper#89
  jasper-software/jasper#90

* Fix CVE-2018-9252
  jasper-maint/jasper#16

* Fix CVE-2018-19139
  jasper-maint/jasper#14

* Fix CVE-2018-19543, CVE-2017-9782
  jasper-maint/jasper#13
  jasper-maint/jasper#18
  jasper-software/jasper#140
  jasper-software/jasper#182

* Fix CVE-2018-20570
  jasper-maint/jasper#11
  jasper-software/jasper#191

* Fix CVE-2018-20622
  jasper-maint/jasper#12
  jasper-software/jasper#193

* Fix CVE-2016-9398
  jasper-maint/jasper#10

* Fix CVE-2017-14132
  jasper-maint/jasper#17

* Fix CVE-2017-5499
  jasper-maint/jasper#2
  jasper-software/jasper#63

* Fix CVE-2018-18873
  jasper-maint/jasper#15
  jasper-software/jasper#184

* Fix CVE-2017-13750
  jasper-software/jasper#165
  jasper-software/jasper#174

Furthermore, drop now upstreamed patches and change to the new
jasper-software upstream location.

Signed-off-by: Michael Vetter <[email protected]>
[Peter: reword for security bump]
Signed-off-by: Peter Korsgaard <[email protected]>
(cherry picked from commit d0f7b24)
Signed-off-by: Peter Korsgaard <[email protected]>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment