Bug 1302636 (CVE-2016-2089) - CVE-2016-2089 jasper: matrix rows_ NULL pointer dereference in jas_matrix_clip()
Summary: CVE-2016-2089 jasper: matrix rows_ NULL pointer dereference in jas_matrix_clip()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-2089
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20160127,reported=2...
Depends On: 1302637 1302638 1302639 1302640 1439171 1439172 1439173 1439174
Blocks: 1302641 1314477
TreeView+ depends on / blocked
 
Reported: 2016-01-28 10:15 UTC by Andrej Nemec
Modified: 2019-06-08 20:58 UTC (History)
29 users (show)

Fixed In Version: jasper 1.900.3
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-09 21:41:11 UTC


Attachments (Terms of Use)
Proposed patch to fix unchecked pointer dereferencing and reading of first elements of empty arrays (2.44 KB, patch)
2016-01-28 14:58 UTC, Fridrich Strba
fridrich.strba: review?
Details | Diff
rows_ NULL check (2.38 KB, patch)
2016-02-01 20:57 UTC, Tomas Hoger
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1208 normal SHIPPED_LIVE Important: jasper security update 2017-05-09 21:13:57 UTC
Novell 963983 None None None 2016-02-11 11:55:29 UTC

Description Andrej Nemec 2016-01-28 10:15:25 UTC
A vulnerability was found in the way the JasPer's jas_matrix_clip() function parses certain JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.

Original bug report (with reproducer attached):

http://seclists.org/oss-sec/2016/q1/233

CVE assignment:

http://seclists.org/oss-sec/2016/q1/235

Comment 1 Andrej Nemec 2016-01-28 10:16:42 UTC
Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1302638]
Affects: fedora-all [bug 1302640]

Comment 2 Andrej Nemec 2016-01-28 10:16:59 UTC
Created jasper tracking bugs for this issue:

Affects: epel-5 [bug 1302637]
Affects: fedora-all [bug 1302639]

Comment 3 Fridrich Strba 2016-01-28 14:58:19 UTC
Created attachment 1119177 [details]
Proposed patch to fix unchecked pointer dereferencing and reading of first elements of empty arrays

I tried to put belts and braces to prevent reading of first elements of empty arrays. I also tried to check some of the null pointer dereferencing. The reproducer does not crash anymore, but it is possible that similar issues are still there :(

Comment 4 Tomas Hoger 2016-02-01 20:48:03 UTC
(In reply to Fridrich Strba from comment #3)
> Created attachment 1119177 [details]
> Proposed patch to fix unchecked pointer dereferencing and reading of first
> elements of empty arrays

Agree with the addition of !matrix->rows_ check to ensure rows_ is not NULL.  Considering that e.g. jas_matrix_create() allows creation of matrix with numrows_ == 0 and rows_ == NULL, the NULL check likely should be in jas_matrix_clip() rather than having is earlier on closer to where matrix is created.

I do not think !matrix->numrows_ check is needed.  The numrows_ == 0 does not seem to cause any issue - both jas_matrix_rowstep() and the subsequent for loop would handle it gracefully (the loop won't be executed).  The earlier return from the function does not seem to make any real difference.

Regarding the !matrix check, it probably does not belong there.  There's other code that does not check matrix to be non-NULL (e.g. jas_matrix_cmp() to stay close to the patched code).  If jas_matrix_clip() can be called with matrix == NULL, the NULL check is probably missing earlier on.

Agree on adding the same !matrix->rows_ to other functions using the similar for loop - jas_matrix_divpow2(), jas_matrix_asr(), jas_matrix_asl(), and jas_matrix_setall().

The !matrix check added to jas_seq2d_input() is redundant, there's already a NULL check right above, as can be seen in the context of the attached patch.

For jas_image_readcmpt() / jas_image_writecmpt(), a similar !data->rows_ checks should be more consistent and more obvious.

Comment 5 Tomas Hoger 2016-02-01 20:57:56 UTC
Created attachment 1120247 [details]
rows_ NULL check

Fridrich's patch from comment 3 with changes as indicated in comment 4.

Comment 7 Tomas Hoger 2016-02-01 21:02:38 UTC
Reported as invalid read, but really is a NULL pointer dereference issue.  Hence impact is limited to application crash.

Comment 8 Tomas Hoger 2016-02-11 11:55:29 UTC
Fridrich, any thoughts on the patch review comments in comment 4?  I assume you're using your original version in SUSE updates.

Comment 9 Fridrich Strba 2016-02-11 12:07:42 UTC
No, I use your patch since you provided it.

Comment 10 Tomas Hoger 2016-02-17 09:05:40 UTC
Ok, thank you!

Comment 11 Tomas Hoger 2016-02-17 09:06:30 UTC
No plans to fix in jasper packages in Red Hat Enterprise Linux 6 and 7.

Comment 12 Tomas Hoger 2016-11-23 22:53:08 UTC
Fixed upstream in version 1.900.3:

https://github.com/mdadams/jasper/commit/c87ad330a8b8d6e5eb0065675601fdfae08ebaab

Comment 14 errata-xmlrpc 2017-05-09 17:16:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208


Note You need to log in before you can comment on or make changes to this bug.