Bug 1256267

Summary: jasper: Multiple memory corruptions caused by uninitialized values
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, ccoleman, dmcphers, jdetiber, jialiu, jkeck, jokerman, jpopelka, kseifried, lmeyer, mmccomas, security-response-team
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-05 12:41:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1260926    
Bug Blocks: 1254249    

Description Adam Mariš 2015-08-24 08:47:22 UTC 
Multiple memory corruptions in JasPer 1.900 leading to crashing the most of applications that uses gdk-pixbuf were found.
The cause of such memory corruptions is probably usage of uninitialized values.

Valgrind report after applying reproducer:

==15417== Command: jasper --input sigsegv.jp2 --output-format pnm
==15417==
==15417== Conditional jump or move depends on uninitialised value(s)
==15417== at 0x405EE3F: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405F110: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405E6FC: jpc_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x4057805: jp2_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x404BDAB: jas_image_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x8048D78: ??? (in /usr/bin/jasper)
==15417== by 0x40B1A82: (below main) (libc-start.c:287)
==15417== Uninitialised value was created by a heap allocation
==15417== at 0x402A17C: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==15417== by 0x405127A: jas_malloc (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x4051323: jas_alloc2 (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405C926: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405E6FC: jpc_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x4057805: jp2_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x404BDAB: jas_image_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x8048D78: ??? (in /usr/bin/jasper)
==15417== by 0x40B1A82: (below main) (libc-start.c:287)
==15417==
==15417== Conditional jump or move depends on uninitialised value(s)
==15417== at 0x405F06C: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405F110: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405E6FC: jpc_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x4057805: jp2_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x404BDAB: jas_image_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x8048D78: ??? (in /usr/bin/jasper)
==15417== by 0x40B1A82: (below main) (libc-start.c:287)
==15417== Uninitialised value was created by a heap allocation
==15417== at 0x402A17C: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==15417== by 0x405127A: jas_malloc (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x4051323: jas_alloc2 (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405C826: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405E6FC: jpc_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x4057805: jp2_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x404BDAB: jas_image_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x8048D78: ??? (in /usr/bin/jasper)
==15417== by 0x40B1A82: (below main) (libc-start.c:287)
Comment 2 Adam Mariš 2015-09-08 08:24:35 UTC 
Public via:

http://seclists.org/oss-sec/2015/q3/443
Comment 3 Adam Mariš 2015-09-08 08:26:36 UTC 
Acknowledgements:

Red Hat would like to thank Gustavo Grieco for reporting this issue.
Comment 7 Tomas Hoger 2017-04-05 12:41:50 UTC 
Provided reproducer no longer crash jasper with all relevant CVE-2015-* and CVE-2016-* fixes applied, so they are likely duplicates of other reports.  There's no plan to investigate more closely to identify which test case is for which CVE.  Upcoming updates will address them.