Bug 1416069 (CVE-2017-5504) - CVE-2017-5504 jasper: Invalid memory read in jpc_undo_roi
Summary: CVE-2017-5504 jasper: Invalid memory read in jpc_undo_roi
Alias: CVE-2017-5504
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1406406 1406407 1406409 1434464
Blocks: 1449402
TreeView+ depends on / blocked
Reported: 2017-01-24 14:08 UTC by Andrej Nemec
Modified: 2020-12-12 00:47 UTC (History)
16 users (show)

Fixed In Version: jasper 2.0.17
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-12-12 00:47:08 UTC

Attachments (Terms of Use)

Description Andrej Nemec 2017-01-24 14:08:53 UTC
A vulnerability was found in jasper. A crafted file could cause an invalid memory read.



Upstream bug:


Comment 1 Andrej Nemec 2017-01-24 14:24:36 UTC
Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1406409]

Comment 2 Andrej Nemec 2017-01-24 14:24:49 UTC
Created jasper tracking bugs for this issue:

Affects: epel-5 [bug 1406406]

Comment 3 Tomas Hoger 2017-03-01 13:49:36 UTC
Original reporter's advisory:


Relevant info from the advisory:

Another round of fuzzing shows that a crafted image causes an invalid memory read.

The complete ASan output:

# imginfo -f $FILE
==22872==ERROR: AddressSanitizer: SEGV on unknown address 0x7f8a4a950800 (pc 0x7f8e4a543b93 bp 0x7ffe29bfdcd0 sp 0x7ffe29bfdb80 T0)
==22872==The signal is caused by a READ memory access.
    #0 0x7f8e4a543b92 in jpc_undo_roi /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:1925:10
    #1 0x7f8e4a543b92 in jpc_dec_tiledecode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:1104
    #2 0x7f8e4a534cdf in jpc_dec_process_sod /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:658:7
    #3 0x7f8e4a53e6b3 in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:425:10
    #4 0x7f8e4a53e6b3 in jpc_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:262
    #5 0x7f8e4a4a0b84 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/base/jas_image.c:444:16
    #6 0x509eed in main /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/appl/imginfo.c:219:16
    #7 0x7f8e495a861f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #8 0x419978 in _init (/usr/bin/imginfo+0x419978)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:1925:10 in jpc_undo_roi

Affected version: 1.900.27

The issue is still not fixed in the latest upstream 2.0.11.

Comment 5 Tomas Hoger 2020-12-11 21:47:45 UTC
Upstream commit:


Fixed upstream in jasper 2.0.17.

Comment 6 Product Security DevOps Team 2020-12-12 00:47:08 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.