Bug 1255710 (CVE-2015-5221) - CVE-2015-5221 jasper: use-after-free and double-free flaws in mif_process_cmpt()
Summary: CVE-2015-5221 jasper: use-after-free and double-free flaws in mif_process_cmpt()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5221
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1255714 1255715 1255716 1255717 1260926 1439171 1439172 1439173 1439174
Blocks: 1254249 1314477
TreeView+ depends on / blocked
 
Reported: 2015-08-21 11:40 UTC by Adam Mariš
Modified: 2021-02-17 05:00 UTC (History)
17 users (show)

Fixed In Version: jasper 1.900.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-09 21:42:40 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1208 0 normal SHIPPED_LIVE Important: jasper security update 2017-05-09 21:13:57 UTC

Description Adam Mariš 2015-08-21 11:40:26 UTC 
A use-after-free which leads to double-free vulnerability was found in Jasper JPEG-2000 library, in src/libjasper/mif/mif_cod.c file.

    553                 case MIF_HSAMP:
    554                         cmpt->sampperx = atoi(jas_tvparser_getval(tvp));
    555                         break;
    556                 case MIF_VSAMP:
    557                         cmpt->samppery = atoi(jas_tvparser_getval(tvp));
    558                         break;

    572         jas_tvparser_destroy(tvp);
    573         if (!cmpt->sampperx || !cmpt->samppery) {
    574                 goto error;
    575         }
    576         if (mif_hdr_addcmpt(hdr, hdr->numcmpts, cmpt)) {
    577                 goto error;
    578         }
    579         return 0;
    580
    581 error:
    582         if (cmpt) {
    583                 mif_cmpt_destroy(cmpt);
    584         }
    585         if (tvp) {
    586                 jas_tvparser_destroy(tvp);
    587         }
    588         return -1;

Both tvp and tvp->buf are freed by jas_tvparser_destroy(tvp), but if one of the two following branch conditions is taken, a second call to jas_tvparser_destroy(tvp) occurs. It is a use-after-free because before calling free in jas_tvparser_destroy there is a check to tvp->buf, while tvp could have been freed. Two double free take place just after this check (on tvp->buf and tvp).

Public via:

http://seclists.org/oss-sec/2015/q3/408

Acknowledgements:

Name: Josselin Feist
Comment 1 Adam Mariš 2015-08-21 11:47:03 UTC 
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1255715]
Comment 2 Adam Mariš 2015-08-21 11:47:06 UTC 
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1255714]
Comment 3 Adam Mariš 2015-08-21 11:47:44 UTC 
Created jasper tracking bugs for this issue:

Affects: epel-5 [bug 1255716]
Comment 4 Adam Mariš 2015-08-21 11:48:03 UTC 
Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1255717]
Comment 7 Fedora Update System 2016-08-15 21:21:38 UTC 
jasper-1.900.1-33.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2016-09-09 21:51:51 UTC 
jasper-1.900.1-33.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Tomas Hoger 2016-11-23 21:41:02 UTC 
Fixed in jasper 1.900.2:

https://github.com/mdadams/jasper/commit/df5d2867e8004e51e18b89865bc4aa69229227b3
Comment 13 errata-xmlrpc 2017-05-09 17:15:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208
Note You need to log in before you can comment on or make changes to this bug.