Bug 1302636 (CVE-2016-2089)

Summary: CVE-2016-2089 jasper: matrix rows_ NULL pointer dereference in jas_matrix_clip()
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, alonbl, bmcclain, carnil, cfergeau, dblechte, dmcphers, erik-fedora, fridrich.strba, jialiu, jokerman, jpopelka, kseifried, lmeyer, lsurette, mgoldboi, michal.skrivanek, mike, mmccomas, phracek, rbalakri, rdieter, rh-spice-bugs, rjones, sherold, tiwillia, yeylon, ykaul, ylavi
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jasper 1.900.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-09 21:41:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1302637, 1302638, 1302639, 1302640, 1439171, 1439172, 1439173, 1439174    
Bug Blocks: 1302641, 1314477    
Attachments:
Description Flags
Proposed patch to fix unchecked pointer dereferencing and reading of first elements of empty arrays
fridrich.strba: review?
rows_ NULL check none

Description Andrej Nemec 2016-01-28 10:15:25 UTC 
A vulnerability was found in the way the JasPer's jas_matrix_clip() function parses certain JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.

Original bug report (with reproducer attached):

http://seclists.org/oss-sec/2016/q1/233

CVE assignment:

http://seclists.org/oss-sec/2016/q1/235
Comment 1 Andrej Nemec 2016-01-28 10:16:42 UTC 
Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1302638]
Affects: fedora-all [bug 1302640]
Comment 2 Andrej Nemec 2016-01-28 10:16:59 UTC 
Created jasper tracking bugs for this issue:

Affects: epel-5 [bug 1302637]
Affects: fedora-all [bug 1302639]
Comment 3 Fridrich Strba 2016-01-28 14:58:19 UTC 
Created attachment 1119177 [details]
Proposed patch to fix unchecked pointer dereferencing and reading of first elements of empty arrays

I tried to put belts and braces to prevent reading of first elements of empty arrays. I also tried to check some of the null pointer dereferencing. The reproducer does not crash anymore, but it is possible that similar issues are still there :(
Comment 4 Tomas Hoger 2016-02-01 20:48:03 UTC 
(In reply to Fridrich Strba from comment #3)
> Created attachment 1119177 [details]
> Proposed patch to fix unchecked pointer dereferencing and reading of first
> elements of empty arrays

Agree with the addition of !matrix->rows_ check to ensure rows_ is not NULL.  Considering that e.g. jas_matrix_create() allows creation of matrix with numrows_ == 0 and rows_ == NULL, the NULL check likely should be in jas_matrix_clip() rather than having is earlier on closer to where matrix is created.

I do not think !matrix->numrows_ check is needed.  The numrows_ == 0 does not seem to cause any issue - both jas_matrix_rowstep() and the subsequent for loop would handle it gracefully (the loop won't be executed).  The earlier return from the function does not seem to make any real difference.

Regarding the !matrix check, it probably does not belong there.  There's other code that does not check matrix to be non-NULL (e.g. jas_matrix_cmp() to stay close to the patched code).  If jas_matrix_clip() can be called with matrix == NULL, the NULL check is probably missing earlier on.

Agree on adding the same !matrix->rows_ to other functions using the similar for loop - jas_matrix_divpow2(), jas_matrix_asr(), jas_matrix_asl(), and jas_matrix_setall().

The !matrix check added to jas_seq2d_input() is redundant, there's already a NULL check right above, as can be seen in the context of the attached patch.

For jas_image_readcmpt() / jas_image_writecmpt(), a similar !data->rows_ checks should be more consistent and more obvious.
Comment 5 Tomas Hoger 2016-02-01 20:57:56 UTC 
Created attachment 1120247 [details]
rows_ NULL check

Fridrich's patch from comment 3 with changes as indicated in comment 4.
Comment 7 Tomas Hoger 2016-02-01 21:02:38 UTC 
Reported as invalid read, but really is a NULL pointer dereference issue.  Hence impact is limited to application crash.
Comment 8 Tomas Hoger 2016-02-11 11:55:29 UTC 
Fridrich, any thoughts on the patch review comments in comment 4?  I assume you're using your original version in SUSE updates.
Comment 9 Fridrich Strba 2016-02-11 12:07:42 UTC 
No, I use your patch since you provided it.
Comment 10 Tomas Hoger 2016-02-17 09:05:40 UTC 
Ok, thank you!
Comment 11 Tomas Hoger 2016-02-17 09:06:30 UTC 
No plans to fix in jasper packages in Red Hat Enterprise Linux 6 and 7.
Comment 12 Tomas Hoger 2016-11-23 22:53:08 UTC 
Fixed upstream in version 1.900.3:

https://github.com/mdadams/jasper/commit/c87ad330a8b8d6e5eb0065675601fdfae08ebaab
Comment 14 errata-xmlrpc 2017-05-09 17:16:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208