Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <55D5991C.7070107@gmail.com>
Date: Thu, 20 Aug 2015 11:08:44 +0200
From: FEIST Josselin <josselin.feist@...il.com>
To: oss-security@...ts.openwall.com
Subject: Use-after-free (and double-free) in Jasper JPEG-200 (CVE-2015-5221)

Hi,

A new use-after-free was found in Jasper JPEG-200.

The use-after-free appears in the function mif_process_cmpt of the src/libjasper/mif/mif_cod.c file. Both tvp and tvp->buf are freed by jas_tvparser_destroy(tvp) (line 572), but if one of the two following branch conditions is taken (line 573/576), a second call to jas_tvparser_destroy(tvp) occurs (line 586). It is a use-after-free because before calling free in jas_tvparser_destroy there is a check to tvp->buf, while tvp could have been freed. Two double free take place just after this check (on tvp->buf and tvp). A simple fix  should be to move the first call of jas_tvparser_destroy after the two branch conditions (or set tvp to NULL after it has been freed in mif_process_cmpt).

The vulnerability was found by a static binary analysis using the tool gueb (that will become open-source soon).

Since another double-free in this library was found recently (http://seclists.org/oss-sec/2015/q3/366), maybe a patch could fix both of them ?

Best regards,
Feist Josselin


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.