Bug 1416069 (CVE-2017-5504) - CVE-2017-5504 jasper: Invalid memory read in jpc_undo_roi
Summary: CVE-2017-5504 jasper: Invalid memory read in jpc_undo_roi
Status: NEW
Alias: CVE-2017-5504
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20161120,repor...
Keywords: Security
Depends On: 1406409 1434464 1406406 1406407
Blocks: 1449402
TreeView+ depends on / blocked
 
Reported: 2017-01-24 14:08 UTC by Andrej Nemec
Modified: 2019-04-14 12:46 UTC (History)
17 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Andrej Nemec 2017-01-24 14:08:53 UTC
A vulnerability was found in jasper. A crafted file could cause an invalid memory read.

References:

http://seclists.org/oss-sec/2017/q1/108

Upstream bug:

https://github.com/mdadams/jasper/issues/89

Comment 1 Andrej Nemec 2017-01-24 14:24:36 UTC
Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1406409]

Comment 2 Andrej Nemec 2017-01-24 14:24:49 UTC
Created jasper tracking bugs for this issue:

Affects: epel-5 [bug 1406406]

Comment 3 Tomas Hoger 2017-03-01 13:49:36 UTC
Original reporter's advisory:

https://blogs.gentoo.org/ago/2017/01/16/jasper-invalid-memory-read-in-jpc_undo_roi-jpc_dec-c/

Relevant info from the advisory:

Another round of fuzzing shows that a crafted image causes an invalid memory read.

The complete ASan output:

# imginfo -f $FILE
==22872==ERROR: AddressSanitizer: SEGV on unknown address 0x7f8a4a950800 (pc 0x7f8e4a543b93 bp 0x7ffe29bfdcd0 sp 0x7ffe29bfdb80 T0)
==22872==The signal is caused by a READ memory access.
    #0 0x7f8e4a543b92 in jpc_undo_roi /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:1925:10
    #1 0x7f8e4a543b92 in jpc_dec_tiledecode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:1104
    #2 0x7f8e4a534cdf in jpc_dec_process_sod /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:658:7
    #3 0x7f8e4a53e6b3 in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:425:10
    #4 0x7f8e4a53e6b3 in jpc_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:262
    #5 0x7f8e4a4a0b84 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/base/jas_image.c:444:16
    #6 0x509eed in main /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/appl/imginfo.c:219:16
    #7 0x7f8e495a861f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #8 0x419978 in _init (/usr/bin/imginfo+0x419978)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:1925:10 in jpc_undo_roi
==22872==ABORTING

Affected version: 1.900.27

The issue is still not fixed in the latest upstream 2.0.11.


Note You need to log in before you can comment on or make changes to this bug.