Red Hat Bugzilla – Bug 1396981
CVE-2016-9399 jasper: reachable assertion in calcstepsizes()
Last modified: 2018-07-18 11:07:04 EDT
An assertion failure was possible to trigger in calcstepsizes. CVE assignment: http://seclists.org/oss-sec/2016/q4/441
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1396987] Affects: epel-7 [bug 1396989]
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1396986] Affects: epel-5 [bug 1396988]
Upstream bug report: https://github.com/mdadams/jasper/issues/83 Original reporter's advisory: https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure/ Relevant information form the advisory: Affected version: 1.900.22 Output/failure: warning: trailing garbage in marker segment (9 bytes) warning: trailing garbage in marker segment (28 bytes) warning: trailing garbage in marker segment (40 bytes) warning: ignoring unknown marker segment (0xffee) type = 0xffee (UNKNOWN); len = 23;1f 32 ff ff ff 00 10 00 3d 4d 00 01 32 40 e4 e4 00 10 00 00 4f warning: trailing garbage in marker segment (12 bytes) imginfo: /tmp/portage/media-libs/jasper-1.900.22/work/jasper-1.900.22/src/libjasper/jpc/jpc_dec.c:1650: void calcstepsizes(uint_fast16_t, int, uint_fast16_t *): Assertion `!((expn + (numrlvls – 1) – (numrlvls – 1 – ((bandno > 0) ? ((bandno + 2) / 3) : (0)))) & (~0x1f))’ failed. Commit fix: N/A Fixed version: N/A Testcase: https://github.com/asarubbo/poc/blob/master/00044-jasper-assert-calcstepsizes CVE: CVE-2016-9399
Upstream bug is still open and unfixed. The issue is not reproducible in version 1.900.26 and later, as there's limit on maximum number of samples in one image used in those versions. The issue is reproducible in the latest 2.0.12 when no samples limit is used (specified using --max-samples 0 option for jasper command line tools).