Multiple memory corruptions in JasPer 1.900 leading to crashing the most of applications that uses gdk-pixbuf were found.
The cause of such memory corruptions is probably usage of uninitialized values.
Valgrind report after applying reproducer:
==15417== Command: jasper --input sigsegv.jp2 --output-format pnm
==15417==
==15417== Conditional jump or move depends on uninitialised value(s)
==15417== at 0x405EE3F: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405F110: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405E6FC: jpc_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x4057805: jp2_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x404BDAB: jas_image_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x8048D78: ??? (in /usr/bin/jasper)
==15417== by 0x40B1A82: (below main) (libc-start.c:287)
==15417== Uninitialised value was created by a heap allocation
==15417== at 0x402A17C: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==15417== by 0x405127A: jas_malloc (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x4051323: jas_alloc2 (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405C926: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405E6FC: jpc_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x4057805: jp2_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x404BDAB: jas_image_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x8048D78: ??? (in /usr/bin/jasper)
==15417== by 0x40B1A82: (below main) (libc-start.c:287)
==15417==
==15417== Conditional jump or move depends on uninitialised value(s)
==15417== at 0x405F06C: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405F110: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405E6FC: jpc_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x4057805: jp2_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x404BDAB: jas_image_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x8048D78: ??? (in /usr/bin/jasper)
==15417== by 0x40B1A82: (below main) (libc-start.c:287)
==15417== Uninitialised value was created by a heap allocation
==15417== at 0x402A17C: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==15417== by 0x405127A: jas_malloc (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x4051323: jas_alloc2 (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405C826: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405E6FC: jpc_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x4057805: jp2_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x404BDAB: jas_image_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x8048D78: ??? (in /usr/bin/jasper)
==15417== by 0x40B1A82: (below main) (libc-start.c:287)
Provided reproducer no longer crash jasper with all relevant CVE-2015-* and CVE-2016-* fixes applied, so they are likely duplicates of other reports. There's no plan to investigate more closely to identify which test case is for which CVE. Upcoming updates will address them.