Red Hat Bugzilla – Bug 1302636
CVE-2016-2089 jasper: matrix rows_ NULL pointer dereference in jas_matrix_clip()
Last modified: 2017-05-09 17:41:11 EDT
A vulnerability was found in the way the JasPer's jas_matrix_clip() function parses certain JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. Original bug report (with reproducer attached): http://seclists.org/oss-sec/2016/q1/233 CVE assignment: http://seclists.org/oss-sec/2016/q1/235
Created mingw-jasper tracking bugs for this issue: Affects: epel-7 [bug 1302638] Affects: fedora-all [bug 1302640]
Created jasper tracking bugs for this issue: Affects: epel-5 [bug 1302637] Affects: fedora-all [bug 1302639]
Created attachment 1119177 [details] Proposed patch to fix unchecked pointer dereferencing and reading of first elements of empty arrays I tried to put belts and braces to prevent reading of first elements of empty arrays. I also tried to check some of the null pointer dereferencing. The reproducer does not crash anymore, but it is possible that similar issues are still there :(
(In reply to Fridrich Strba from comment #3) > Created attachment 1119177 [details] > Proposed patch to fix unchecked pointer dereferencing and reading of first > elements of empty arrays Agree with the addition of !matrix->rows_ check to ensure rows_ is not NULL. Considering that e.g. jas_matrix_create() allows creation of matrix with numrows_ == 0 and rows_ == NULL, the NULL check likely should be in jas_matrix_clip() rather than having is earlier on closer to where matrix is created. I do not think !matrix->numrows_ check is needed. The numrows_ == 0 does not seem to cause any issue - both jas_matrix_rowstep() and the subsequent for loop would handle it gracefully (the loop won't be executed). The earlier return from the function does not seem to make any real difference. Regarding the !matrix check, it probably does not belong there. There's other code that does not check matrix to be non-NULL (e.g. jas_matrix_cmp() to stay close to the patched code). If jas_matrix_clip() can be called with matrix == NULL, the NULL check is probably missing earlier on. Agree on adding the same !matrix->rows_ to other functions using the similar for loop - jas_matrix_divpow2(), jas_matrix_asr(), jas_matrix_asl(), and jas_matrix_setall(). The !matrix check added to jas_seq2d_input() is redundant, there's already a NULL check right above, as can be seen in the context of the attached patch. For jas_image_readcmpt() / jas_image_writecmpt(), a similar !data->rows_ checks should be more consistent and more obvious.
Created attachment 1120247 [details] rows_ NULL check Fridrich's patch from comment 3 with changes as indicated in comment 4.
Reported as invalid read, but really is a NULL pointer dereference issue. Hence impact is limited to application crash.
Fridrich, any thoughts on the patch review comments in comment 4? I assume you're using your original version in SUSE updates.
No, I use your patch since you provided it.
Ok, thank you!
No plans to fix in jasper packages in Red Hat Enterprise Linux 6 and 7.
Fixed upstream in version 1.900.3: https://github.com/mdadams/jasper/commit/c87ad330a8b8d6e5eb0065675601fdfae08ebaab
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208