oCERT reports a double-free issue in jas_iccattrval_destroy() in jasper: In jas_icctxt_input() if there's an error, there's a call to jas_free(txt->string) which is freeing attrval->data.txt, but later on jas_iccattrval_destroy it tries to call free on it again. Acknowledgements: Red Hat would like to thank oCERT for reporting these issues. oCERT acknowledges Jose Duart of the Google Security Team as the original reporter.
Created attachment 967282 [details] Possible patch - variant 1 This uses somewhat conservative approach. It changes iccattrvalinfo destroy ops functions to set variables to NULL after free(), so even if called repeatedly, double-free is avoided. It also changes jas_icctxt_input() to call jas_icctxt_destroy() on error, rather than performing memory freeing directly.
Created attachment 967283 [details] Possible patch - variant 2 This removes jas_icc*_destroy() calls from error code paths in iccattrvalinfo input ops functions (jas_icc*_input()). This should not introduce any memory leak, as input ops functions only seem to be called from jas_iccprof_load(), and if they return error, jas_iccattrval_destroy() gets called, which leads to destroy op call. if ((*attrval->ops->input)(attrval, in, len)) { goto error; } ... error: ... if (attrval) jas_iccattrval_destroy(attrval);
Created attachment 967284 [details] Additional fix to avoid assert() abort If one of the above patches is applied, assert(iccprof) is triggered in jp2_decode(), aborting application using jasper. This fix makes jasper fail more gracefully.
All patches look good to me. I have no problem with the 'not so conservative' patch (variant 2). It doesn't seem to cause any leaks.
Ack, thank you for review. I also view the second variant as preferred.
Public now via oCERT-2014-012 advisory. External References: http://www.ocert.org/advisories/ocert-2014-012.html
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1175762] Affects: epel-7 [bug 1175764]
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1175761] Affects: epel-5 [bug 1175763]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2014:2021 https://rhn.redhat.com/errata/RHSA-2014-2021.html
mingw-jasper-1.900.1-25.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
mingw-jasper-1.900.1-25.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
mingw-jasper-1.900.1-25.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
mingw-jasper-1.900.1-25.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
jasper-1.900.1-27.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
jasper-1.900.1-26.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
jasper-1.900.1-29.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: RHEV Manager version 3.5 Via RHSA-2015:0698 https://rhn.redhat.com/errata/RHSA-2015-0698.html
jasper-1.900.1-15.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: RHEV-H and Agents for RHEL-6 RHEV-H and Agents for RHEL-7 Via RHSA-2015:1713 https://rhn.redhat.com/errata/RHSA-2015-1713.html
Fixed upstream in version 1.900.3: https://github.com/mdadams/jasper/commit/4bb93a6c49da7c1b6ad2acb60b18954a6547c637