Bug 1256267 - jasper: Multiple memory corruptions caused by uninitialized values
jasper: Multiple memory corruptions caused by uninitialized values
Status: CLOSED NEXTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150826,repor...
: Reopened, Security
Depends On: 1260926
Blocks: 1254249
  Show dependency treegraph
 
Reported: 2015-08-24 04:47 EDT by Adam Mariš
Modified: 2017-04-05 08:41 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-04-05 08:41:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-08-24 04:47:22 EDT
Multiple memory corruptions in JasPer 1.900 leading to crashing the most of applications that uses gdk-pixbuf were found.
The cause of such memory corruptions is probably usage of uninitialized values.

Valgrind report after applying reproducer:

==15417== Command: jasper --input sigsegv.jp2 --output-format pnm
==15417==
==15417== Conditional jump or move depends on uninitialised value(s)
==15417== at 0x405EE3F: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405F110: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405E6FC: jpc_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x4057805: jp2_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x404BDAB: jas_image_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x8048D78: ??? (in /usr/bin/jasper)
==15417== by 0x40B1A82: (below main) (libc-start.c:287)
==15417== Uninitialised value was created by a heap allocation
==15417== at 0x402A17C: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==15417== by 0x405127A: jas_malloc (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x4051323: jas_alloc2 (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405C926: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405E6FC: jpc_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x4057805: jp2_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x404BDAB: jas_image_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x8048D78: ??? (in /usr/bin/jasper)
==15417== by 0x40B1A82: (below main) (libc-start.c:287)
==15417==
==15417== Conditional jump or move depends on uninitialised value(s)
==15417== at 0x405F06C: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405F110: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405E6FC: jpc_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x4057805: jp2_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x404BDAB: jas_image_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x8048D78: ??? (in /usr/bin/jasper)
==15417== by 0x40B1A82: (below main) (libc-start.c:287)
==15417== Uninitialised value was created by a heap allocation
==15417== at 0x402A17C: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==15417== by 0x405127A: jas_malloc (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x4051323: jas_alloc2 (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405C826: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x405E6FC: jpc_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x4057805: jp2_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x404BDAB: jas_image_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417== by 0x8048D78: ??? (in /usr/bin/jasper)
==15417== by 0x40B1A82: (below main) (libc-start.c:287)
Comment 2 Adam Mariš 2015-09-08 04:24:35 EDT
Public via:

http://seclists.org/oss-sec/2015/q3/443
Comment 3 Adam Mariš 2015-09-08 04:26:36 EDT
Acknowledgements:

Red Hat would like to thank Gustavo Grieco for reporting this issue.
Comment 7 Tomas Hoger 2017-04-05 08:41:50 EDT
Provided reproducer no longer crash jasper with all relevant CVE-2015-* and CVE-2016-* fixes applied, so they are likely duplicates of other reports.  There's no plan to investigate more closely to identify which test case is for which CVE.  Upcoming updates will address them.

Note You need to log in before you can comment on or make changes to this bug.