Bug 1294039 - jasper: Integer overflow in jas_matrix_create()
jasper: Integer overflow in jas_matrix_create()
Status: CLOSED DUPLICATE of bug 461476
Product: Fedora
Classification: Fedora
Component: jasper (Show other bugs)
23
All All
unspecified Severity medium
: ---
: ---
Assigned To: Rex Dieter
Fedora Extras Quality Assurance
: Security, SecurityTracking
: 1296950 (view as bug list)
Depends On:
Blocks: CVE-2015-8751
  Show dependency treegraph
 
Reported: 2015-12-24 03:37 EST by limingxing
Modified: 2016-01-13 02:36 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-11 07:49:42 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
crash pos (212 bytes, image/jp2)
2015-12-24 03:37 EST, limingxing
no flags Details

  None (edit)
Description limingxing 2015-12-24 03:37:22 EST
Created attachment 1109156 [details]
crash pos

We find a vulnerability in the way JasPer's jas_matrix_create() function parsed certain JPEG 2000 image files. 

jas_matrix_t *jas_matrix_create(int numrows, int numcols)
{
	.......

	if (matrix->maxrows_ > 0) {
		if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ *
		  sizeof(jas_seqent_t *)))) {

        ................

matrix->maxrows_ > 0 ,but matrix->maxrows_ *sizeof(jas_seqent_t *) can cause Integer overflow.

Reported by Qihoo 360 Codesafe Team
Comment 1 Martin Prpič 2016-01-08 09:30:27 EST
*** Bug 1296950 has been marked as a duplicate of this bug. ***
Comment 2 Cedric Buissart 2016-01-11 07:49:42 EST

*** This bug has been marked as a duplicate of bug 461476 ***
Comment 3 limingxing 2016-01-13 00:00:26 EST
Hi,
You are right,I made a mistake,I omit the patch.

And,I find another vulnerability about Jasper.
I was successful in reproducing this issuel in the jasper-1.900.1-31.fc23.src.

Please see:
http://www.openwall.com/lists/oss-security/2016/01/13/2

Note You need to log in before you can comment on or make changes to this bug.