Red Hat Bugzilla – Bug 1388866
CVE-2016-8882 jasper: uninitialized tile->pi pointer use in JPC decoder
Last modified: 2017-03-01 10:40:31 EST
Null pointer access due to improper initialization was found in jpc_pi_destroy. Upstream patch: https://github.com/mdadams/jasper/commit/69a1439a5381e42b06ec6a06ed2675eb793babee CVE assignment: http://seclists.org/oss-sec/2016/q4/216
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1388874] Affects: epel-7 [bug 1388876]
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1388873] Affects: epel-5 [bug 1388875]
Upstream bug report: https://github.com/mdadams/jasper/issues/30 The problem was in the jpc_dec_process_siz() function, which did not initialize tile->pi. Later on, when tile data was freed, non-NULL tile->pi led to the call of jpc_pi_destroy() function, which dereferenced and possibly tried to free uninitialized / invalid pointer. That could cause crash, or could possibly lead to use-after-free or double free. This issue did not affect jasper packages in Red Hat Enterprise Linux 6 and 7 because of the inclusion of the CVE-2008-3520 fix in those packages. The patch makes jpc_dec_process_siz() function use calloc instead of malloc when allocating dec->tiles memory, using this change: - if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) { + if (!(dec->tiles = jas_calloc(dec->numtiles, sizeof(jpc_dec_tile_t)))) { This was meant to protect against integer overflow when computing the amount of required memory allocation, but also has a side effect of initializing tile structure with zeros. I.e. tile->pi is initialized to 0 / NULL, which is equivalent to the upstream fix for this issue. This fix was also included in netpbm packages updates in Red Hat Enterprise Linux 4 and 5 via RHSA-2009:0012: https://rhn.redhat.com/errata/RHSA-2009-0012.html