oCERT reports an issue in jasper discovered by pyddeh: """ In jpc_qmfb.c JasPer uses variable length arrays where the sizes are derived from the codestream data, e.g. jpc_qmfb.c:305: void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity) { int bufsize = JPC_CEILDIVPOW2(numcols, 1); #if !defined(HAVE_VLA) jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; #else jpc_fix_t splitbuf[bufsize]; #endif jpc_fix_t *buf = splitbuf; Here, numcols is from the codestream, in other places its numrows. I'm not sure how bad this is, but some broken codestreams i generated crashed there with negative numbers, which i think is dangerous if combined with VLAs. Fix proposal: remove the VLA code (see attached patch). """ Acknowledgement: Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges pyddeh as the original reporter.
Created attachment 976831 [details] jpc_qmfb.c.patch
Created attachment 977736 [details] do not define HAVE_VLA (In reply to Vasyl Kaigorodov from comment #0) > some broken codestreams i generated crashed there > with negative numbers, which i think is dangerous if combined with VLAs. Can you perhaps upload such file(s) ? > Fix proposal: remove the VLA code (see attached patch). This can more easily be achieved by not defining HAVE_VLA, see my patch.
This does not seem to be a buffer overflow issue. The problem that was reported is that if HAVE_VLA is defined, size of the stack-based splitbuf[] or joinbuf[] is determined at runtime based on the values from the processed image. This approach has drawback that there's no real error check used - allocation of the buffer is done by subtracting from the stack pointer. As a consequence, splitbuf[] / joinbuf[] start may be outside of the stack memory - typically unmapped memory, but may reach to stack memory of other threads and possibly heap memory. Use of such buffer leads to memory corruption. Given how those buffers are used, program will crash on attempt to access unmapped memory before the end of the affected functions is reached. Hence exploit would require race against other thread or signal handler. Proposed fix removes the use of variable length arrays, which make jasper use fixed size stack array, or allocate memory from heap if larger buffer is needed. (In reply to Jiri Popelka from comment #2) > Can you perhaps upload such file(s) ? No reproducer is available, oCERT / original reporter may or may not be able to provide one. > > Fix proposal: remove the VLA code (see attached patch). > > This can more easily be achieved by not defining HAVE_VLA, see my patch. Agree, either approach should work. As HAVE_VLA is not used elsewhere in the jasper sources, fixes should be equivalent. Complete removal makes it less likely to have code re-enabled by accident in the future.
Now it makes much more sense, thank you Thomas !
Public now via oCERT-2015-001. External References: http://www.ocert.org/advisories/ocert-2015-001.html
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1184751] Affects: epel-7 [bug 1184753]
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1184750] Affects: epel-5 [bug 1184752]
Patch that was added to Fedora jasper packages: http://pkgs.fedoraproject.org/cgit/jasper.git/tree/jasper-CVE-2014-8158.patch
Statement: (none)
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2015:0074 https://rhn.redhat.com/errata/RHSA-2015-0074.html
mingw-jasper-1.900.1-26.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
mingw-jasper-1.900.1-26.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
jasper-1.900.1-30.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
jasper-1.900.1-28.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
mingw-jasper-1.900.1-26.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: RHEV Manager version 3.5 Via RHSA-2015:0698 https://rhn.redhat.com/errata/RHSA-2015-0698.html
jasper-1.900.1-15.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Fix was integrated upstream in version 1.900.2: https://github.com/mdadams/jasper/commit/0d64bde2b3ba7e1450710d540136a8ce4199ef30