Bug 1294039 - jasper: Integer overflow in jas_matrix_create()
Summary: jasper: Integer overflow in jas_matrix_create()
Keywords:
Status: CLOSED DUPLICATE of bug 461476
Alias: None
Product: Fedora
Classification: Fedora
Component: jasper
Version: 23
Hardware: All
OS: All
unspecified
medium
Target Milestone: ---
Assignee: Rex Dieter
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1296950 (view as bug list)
Depends On:
Blocks: CVE-2015-8751
TreeView+ depends on / blocked
 
Reported: 2015-12-24 08:37 UTC by limingxing
Modified: 2016-01-13 07:36 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-11 12:49:42 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
crash pos (212 bytes, image/jp2)
2015-12-24 08:37 UTC, limingxing 		no flags Details
View All

Description limingxing 2015-12-24 08:37:22 UTC 
Created attachment 1109156 [details]
crash pos

We find a vulnerability in the way JasPer's jas_matrix_create() function parsed certain JPEG 2000 image files. 

jas_matrix_t *jas_matrix_create(int numrows, int numcols)
{
	.......

	if (matrix->maxrows_ > 0) {
		if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ *
		  sizeof(jas_seqent_t *)))) {

        ................

matrix->maxrows_ > 0 ,but matrix->maxrows_ *sizeof(jas_seqent_t *) can cause Integer overflow.

Reported by Qihoo 360 Codesafe Team
Comment 1 Martin Prpič 2016-01-08 14:30:27 UTC 
*** Bug 1296950 has been marked as a duplicate of this bug. ***
Comment 2 Cedric Buissart 2016-01-11 12:49:42 UTC 

*** This bug has been marked as a duplicate of bug 461476 ***
Comment 3 limingxing 2016-01-13 05:00:26 UTC 
Hi,
You are right,I made a mistake,I omit the patch.

And,I find another vulnerability about Jasper.
I was successful in reproducing this issuel in the jasper-1.900.1-31.fc23.src.

Please see:
http://www.openwall.com/lists/oss-security/2016/01/13/2
Note You need to log in before you can comment on or make changes to this bug.