A use-after-free which leads to double-free vulnerability was found in Jasper JPEG-2000 library, in src/libjasper/mif/mif_cod.c file. 553 case MIF_HSAMP: 554 cmpt->sampperx = atoi(jas_tvparser_getval(tvp)); 555 break; 556 case MIF_VSAMP: 557 cmpt->samppery = atoi(jas_tvparser_getval(tvp)); 558 break; 572 jas_tvparser_destroy(tvp); 573 if (!cmpt->sampperx || !cmpt->samppery) { 574 goto error; 575 } 576 if (mif_hdr_addcmpt(hdr, hdr->numcmpts, cmpt)) { 577 goto error; 578 } 579 return 0; 580 581 error: 582 if (cmpt) { 583 mif_cmpt_destroy(cmpt); 584 } 585 if (tvp) { 586 jas_tvparser_destroy(tvp); 587 } 588 return -1; Both tvp and tvp->buf are freed by jas_tvparser_destroy(tvp), but if one of the two following branch conditions is taken, a second call to jas_tvparser_destroy(tvp) occurs. It is a use-after-free because before calling free in jas_tvparser_destroy there is a check to tvp->buf, while tvp could have been freed. Two double free take place just after this check (on tvp->buf and tvp). Public via: http://seclists.org/oss-sec/2015/q3/408 Acknowledgements: Name: Josselin Feist
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1255715]
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1255714]
Created jasper tracking bugs for this issue: Affects: epel-5 [bug 1255716]
Created mingw-jasper tracking bugs for this issue: Affects: epel-7 [bug 1255717]
jasper-1.900.1-33.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
jasper-1.900.1-33.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Fixed in jasper 1.900.2: https://github.com/mdadams/jasper/commit/df5d2867e8004e51e18b89865bc4aa69229227b3
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208