Bug 1434458 (CVE-2017-6850) - CVE-2017-6850 jasper: uninitialized pointer use in jp2_cdef_destroy()
Summary: CVE-2017-6850 jasper: uninitialized pointer use in jp2_cdef_destroy()
Alias: CVE-2017-6850
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1434464 1434465 1434466 1434467
Blocks: 1314477
TreeView+ depends on / blocked
Reported: 2017-03-21 14:31 UTC by Adam Mariš
Modified: 2019-09-29 14:08 UTC (History)
21 users (show)

Fixed In Version: jasper 2.0.13
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-03-31 15:02:36 UTC

Attachments (Terms of Use)

Description Adam Mariš 2017-03-21 14:31:34 UTC
Null pointer dereference vulnerability in jp2_cdef_destroy was found.

Upstream bug:


Upstream patch:




Comment 1 Adam Mariš 2017-03-21 14:44:59 UTC
Created jasper tracking bugs for this issue:

Affects: epel-5 [bug 1434466]
Affects: fedora-all [bug 1434464]

Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1434465]
Affects: fedora-all [bug 1434467]

Comment 2 Tomas Hoger 2017-03-31 14:58:43 UTC
The problem here was that the jp2_box_get() function, unlike jp2_box_create(), did not properly initialize members of the jp2_box_t structure after allocating it.  If some error occurred while reading data from the file before the structure was fully initialized causing jasper to call jp2_box_destroy().  While destroying the structure, and uninitialized pointer could be used or freed (e.g. in the jp2_cdef_destroy() function).

This issue did not affect the versions of jasper as shipped in Red Hat Enterprise Linux, as they used jas_calloc() instead of jas_malloc() to allocate jp2_box_t in jp2_box_get() causing it to be initialized.  This fix was included as part of the fix for CVE-2008-3520 (see bug 461476).

Comment 3 Tomas Hoger 2017-03-31 14:59:57 UTC
There's no released upstream version including the fix, but as the latest released is 2.0.12, and the fix is already committed, the next version - presumably 2.0.13 - should contain it.

Comment 4 Tomas Hoger 2017-03-31 15:01:03 UTC
Original reporter's advisory:


Relevant information from the advisory:

Another round of fuzzing shows that a crafted image causes a NULL pointer access.

The complete ASan output:

# imginfo -f $FILE
cannot parse box data
==6697==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000041da35 bp 0xbebebebebebebeae sp 0x7fff60ad6480 T0)
    #0 0x41da34 in atomic_compare_exchange_strong /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81
    #1 0x41da34 in __asan::Allocator::AtomicallySetQuarantineFlagIfAllocated(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:468
    #2 0x41da34 in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:522
    #3 0x41da34 in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:725
    #4 0x4d271c in free /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:50
    #5 0x7f86ef11c995 in jp2_cdef_destroy /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:230:3
    #6 0x7f86ef11e18e in jp2_box_destroy /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:212:3
    #7 0x7f86ef11e18e in jp2_box_get /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:319
    #8 0x7f86ef1219f6 in jp2_decode /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_dec.c:159:16
    #9 0x7f86ef0e4214 in jas_image_decode /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/base/jas_image.c:444:16
    #10 0x50a3be in main /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/appl/imginfo.c:238:16
    #11 0x7f86ee1c478f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #12 0x419cd8 in _start (/usr/bin/imginfo+0x419cd8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 in atomic_compare_exchange_strong

Affected version: 2.0.10

Fixed version: 2.0.13 (not released atm)

Commit fix:

Credit: This bug was discovered by Agostino Sarubbo of Gentoo.

CVE: CVE-2017-6850


Comment 6 Andrej Nemec 2017-07-19 15:22:37 UTC
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1434464]

Note You need to log in before you can comment on or make changes to this bug.