A heap-based buffer overflow flaw was reported in JasPer's jpc_dec_cp_setfromcox() and jpc_dec_cp_setfromrgn() functions. Processing a specially-crafted image with an application that uses JasPer could cause the application to crash or, potentially, execute arbitrary code. Acknowledgements: Red Hat would like to thank oCERT for reporting these issues. oCERT acknowledges Jose Duart of the Google Security Team as the original reporter.
Created attachment 961994 [details] Proposed patch This seems to be an off-by-one issue in jpc_dec_process_coc and jpc_dec_process_rgn. There are an existing checks to ensure if coc->compno / rgn->compno is not more than dec->numcomps. The reason is that compno is later used as index to jpc_dec_cp_t's ccps[] array, which is allocated to have numcomps entries. However, compno == numcomps is already out of allocated bounds, and the checks should be adjusted to error out when compno >= numcomps, rather than when compno > numcomps. There is similar issue in jpc_dec_process_qcc which is also corrected by this patch.
Comment on attachment 961994 [details] Proposed patch Patch looks good to me. Thanks Tomas !
Public now via oCERT-2014-009 advisory. External References: http://www.ocert.org/advisories/ocert-2014-009.html
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1170652] Affects: epel-7 [bug 1170655]
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1170650] Affects: epel-5 [bug 1170654]
IssueDescription: Multiple off-by-one flaws, leading to heap-based buffer overflows, were found in the way JasPer decoded JPEG 2000 files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2014:2021 https://rhn.redhat.com/errata/RHSA-2014-2021.html
jasper-1.900.1-27.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
jasper-1.900.1-26.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
jasper-1.900.1-29.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: RHEV Manager version 3.5 Via RHSA-2015:0698 https://rhn.redhat.com/errata/RHSA-2015-0698.html
jasper-1.900.1-15.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Fix was integrated upstream in version 1.900.2: https://github.com/mdadams/jasper/commit/5dbe57e4808bea4b83a97e2f4aaf8c91ab6fdecb