Bug 1294039

Summary: jasper: Integer overflow in jas_matrix_create()
Product: [Fedora] Fedora Reporter: limingxing <limingxing>
Component: jasperAssignee: Rex Dieter <rdieter>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 23CC: cbuissar, jpopelka, mprpic, rdieter
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-11 12:49:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1296949    
Attachments:
Description Flags
crash pos none

Description limingxing 2015-12-24 08:37:22 UTC 
Created attachment 1109156 [details]
crash pos

We find a vulnerability in the way JasPer's jas_matrix_create() function parsed certain JPEG 2000 image files. 

jas_matrix_t *jas_matrix_create(int numrows, int numcols)
{
	.......

	if (matrix->maxrows_ > 0) {
		if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ *
		  sizeof(jas_seqent_t *)))) {

        ................

matrix->maxrows_ > 0 ,but matrix->maxrows_ *sizeof(jas_seqent_t *) can cause Integer overflow.

Reported by Qihoo 360 Codesafe Team
Comment 1 Martin Prpič 2016-01-08 14:30:27 UTC 
*** Bug 1296950 has been marked as a duplicate of this bug. ***
Comment 2 Cedric Buissart 2016-01-11 12:49:42 UTC 

*** This bug has been marked as a duplicate of bug 461476 ***
Comment 3 limingxing 2016-01-13 05:00:26 UTC 
Hi,
You are right,I made a mistake,I omit the patch.

And,I find another vulnerability about Jasper.
I was successful in reproducing this issuel in the jasper-1.900.1-31.fc23.src.

Please see:
http://www.openwall.com/lists/oss-security/2016/01/13/2