|
Message-ID: <3626D6E697A150459C44C0E5D8D8D00E0DBD5177@EX02.corp.qihoo.net>
Date: Wed, 13 Jan 2016 03:54:55 +0000
From: limingxing <limingxing@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Out-of-bounds Read in the JasPer's jpc_pi_nextcprl() function
Hello,
We find a vulnerability in the way JasPer's jpc_pi_nextcprl() function parsed certain JPEG 2000 image files.
I was successful in reproducing this issuel in the jasper-1.900.1-31.fc23.src.
The gdb info was:
Starting program: ./jasper-1.900.1-31.fc23.src/jasper-1.900.1/src/appl/jasper -f ./jasper_poc/poc.jp2 -F temp.bmp -t jp2 -T bmp
warning: trailing garbage in marker segment (6 bytes)
Program received signal SIGSEGV, Segmentation fault.
jpc_pi_nextcprl (pi=0x80a4ab0) at jpc_t2cod.c:435
435 pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn +
(gdb) bt
#0 jpc_pi_nextcprl (pi=0x80a4ab0) at jpc_t2cod.c:435
#1 jpc_pi_next (pi=pi@...ry=0x80a4ab0) at jpc_t2cod.c:125
#2 0x08062d85 in jpc_dec_decodepkts (dec=dec@...ry=0x809a5b8,
pkthdrstream=0x8096308, in=0x8096308) at jpc_t2dec.c:441
#3 0x0806202a in jpc_dec_process_sod (dec=0x809a5b8, ms=0x0) at jpc_dec.c:591
#4 0x0806158d in jpc_dec_decode (dec=0x809a5b8) at jpc_dec.c:390
#5 jpc_decode (in=in@...ry=0x8096308, optstr=optstr@...ry=0x0)
at jpc_dec.c:254
#6 0x08056627 in jp2_decode (in=0x8096308, optstr=0x0) at jp2_dec.c:215
#7 0x08051a28 in jas_image_decode (in=in@...ry=0x8096308,
fmt=<optimized out>, optstr=0x0) at jas_image.c:379
#8 0x08048f19 in main (argc=9, argv=0xbffff094) at jasper.c:229
This vulnerability was found by Qihoo 360 Codesafe Team
Download attachment "jasper_poc.zip" of type "application/octet-stream" (1150 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.