A double free vulnerability in jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allowing remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file was found. Vulnerable code: src/libjasper/base/jas_icc.c: 258 jas_iccprof_t *jas_iccprof_load(jas_stream_t *in) 259 { ... 294 for (i = 0; i < numtags; ++i) { 295 tagtabent = &prof->tagtab.ents[i]; 296 if (tagtabent->off == JAS_CAST(jas_iccuint32_t, prevoff)) { 297 if (prevattrval) { 298 if (!(attrval = jas_iccattrval_clone(prevattrval))) 299 goto error; 300 if (jas_iccprof_setattr(prof, tagtabent->tag, attrval)) 301 goto error; 302 jas_iccattrval_destroy(attrval); 303 } else { 304 #if 0 305 jas_eprintf("warning: skipping unknown tag type\n"); 306 #endif 307 } 308 continue; 309 } 310 reloff = tagtabent->off - curoff; 311 if (reloff > 0) { 312 if (jas_stream_gobble(in, reloff) != reloff) 313 goto error; 314 curoff += reloff; 315 } else if (reloff < 0) { 316 /* This should never happen since we read the tagged 317 element data in a single pass. */ 318 abort(); 319 } 320 prevoff = curoff; 321 if (jas_iccgetuint32(in, &type)) { 322 goto error; 323 } 324 if (jas_stream_gobble(in, 4) != 4) { 325 goto error; 326 } 327 curoff += 8; 328 if (!(attrvalinfo = jas_iccattrvalinfo_lookup(type))) { 329 #if 0 330 jas_eprintf("warning: skipping unknown tag type\n"); 331 #endif 332 prevattrval = 0; 333 continue; 334 } 335 if (!(attrval = jas_iccattrval_create(type))) { 336 goto error; 337 } ... 353 error: 354 if (prof) 355 jas_iccprof_destroy(prof); 356 if (attrval) 357 jas_iccattrval_destroy(attrval); 358 return 0; 359 } attrval variable is assigned on line 298 and freed with the call to jas_iccattrval_destroy() on line 302. If the tests on lines 312, 321, or 324 are true, the same pointer will be passed a second time to jas_iccattrval_destroy() on line 357. Proposed patch: http://seclists.org/oss-sec/2016/q1/att-507/CVE-2016-1577.patch Public via: http://seclists.org/oss-sec/2016/q1/507
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1314469] Affects: epel-7 [bug 1314471]
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1314468] Affects: epel-5 [bug 1314470]
jasper-1.900.1-33.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
jasper-1.900.1-33.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
The original Ubuntu bug report: https://bugs.launchpad.net/ubuntu/+source/jasper/+bug/1547865 Upstream commit, applied in version 1.900.2: https://github.com/mdadams/jasper/commit/74ea22a7a4fe186e0a0124df25e19739b77c4a29
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208