oCERT reports an issue in jasper discovered by pyddeh: """ jpc_dec.c:1204: dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth); dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight); dec->numtiles = dec->numhtiles * dec->numvtiles; if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) { return -1; } the dec->XXX in JPC_CEILDIV are all directly from the codestream, so dec->numtiles can be 0. In that case, the minimum-sized chunk returned by malloc can, depending on the code stream, be used later. I think this can cause the same problems as a use after free. Fix proposal: if ( dec->numtiles == 0 || !(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) { return -1; } """ Acknowledgement: Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges pyddeh as the original reporter.
(In reply to Vasyl Kaigorodov from comment #0) > Fix proposal: > > if ( dec->numtiles == 0 || !(dec->tiles = jas_malloc(dec->numtiles * > sizeof(jpc_dec_tile_t)))) { > return -1; > } LGTM
While the patch looks harmless, it's unclear to me how it helps as the issue is not clearly identified in the report. As far as I can see, all dec->tiles[] accesses user dec->numtiles as an upper bound, so there does not seem to be any issue with overflowing under-allocated buffer. It's unclear where the reported user-after-free-like problem should happen.
(In reply to Tomas Hoger from comment #2) > As far as I can see, all dec->tiles[] accesses user dec->numtiles as an upper > bound, so there does not seem to be any issue with overflowing under-allocated > buffer. The check in jpc_dec_process_sot() is actually off-by-one: if (JAS_CAST(int, sot->tileno) > dec->numtiles) { jas_eprintf("invalid tile number in SOT marker segment\n"); return -1; } /* Set the current tile. */ dec->curtile = &dec->tiles[sot->tileno]; tile = dec->curtile; sot->tileno equal to dec->numtiles already makes dec->tiles[] access outside of the allocated bounds.
Public now via oCERT-2015-001. External References: http://www.ocert.org/advisories/ocert-2015-001.html
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1184751] Affects: epel-7 [bug 1184753]
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1184750] Affects: epel-5 [bug 1184752]
Patch that was added to Fedora jasper packages: http://pkgs.fedoraproject.org/cgit/jasper.git/tree/jasper-CVE-2014-8157.patch
Statement: (none)
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2015:0074 https://rhn.redhat.com/errata/RHSA-2015-0074.html
This issue has been addressed in the following products: OpenShift Enterprise 2.0, 2.1 and 2.2 Via: RHBA-2015:0075 https://rhn.redhat.com/errata/RHBA-2015-0075.html RHBA-2015:0076 https://rhn.redhat.com/errata/RHBA-2015-0076.html RHBA-2015:0077 https://rhn.redhat.com/errata/RHBA-2015-0077.html
mingw-jasper-1.900.1-26.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
mingw-jasper-1.900.1-26.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
jasper-1.900.1-30.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
jasper-1.900.1-28.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
mingw-jasper-1.900.1-26.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: RHEV Manager version 3.5 Via RHSA-2015:0698 https://rhn.redhat.com/errata/RHSA-2015-0698.html
jasper-1.900.1-15.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Fix was integrated upstream in version 1.900.2: https://github.com/mdadams/jasper/commit/3fd4067496d8ef70f11841d7492ddeb1f1d56915