Bug 1664878 (CVE-2018-20570) - CVE-2018-20570 jasper: heap-based buffer over-read in jp2_encode()
Summary: CVE-2018-20570 jasper: heap-based buffer over-read in jp2_encode()
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2018-20570
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1664879 1664880 1664881
Blocks: 1664868
TreeView+ depends on / blocked
 
Reported: 2019-01-09 21:41 UTC by Laura Pardo
Modified: 2020-11-02 20:37 UTC (History)
1 user (show)

Fixed In Version: jasper 2.0.17
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-05 10:31:47 UTC
Embargoed:


Attachments (Terms of Use)

Description Laura Pardo 2019-01-09 21:41:59 UTC
A flaw was found in in JasPer 2.0.14. A heap-based buffer over-read in jp2_encode function in jp2/jp2_enc.c file.


References:
https://github.com/mdadams/jasper/issues/191

Comment 1 Laura Pardo 2019-01-09 21:42:47 UTC
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1664879]


Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1664881]
Affects: fedora-all [bug 1664880]

Comment 5 Tomas Hoger 2020-05-05 09:15:07 UTC
This problem is in the following code in the jp2_encode() function:

https://github.com/mdadams/jasper/blob/version-2.0.16/src/libjasper/jp2/jp2_enc.c#L294-L312

There are calls to jas_image_cmpttype() as jas_image_cmpttype(image, 2), where jas_image_cmpttype() is a macro defined as:

#define jas_image_cmpttype(image, cmptno) \
    ((image)->cmpts_[(cmptno)]->type_)

Hence the code attempts to access cmpts_[] array in the image structure as positions 0, 1, and 2.  The problem is that the array may not be large enough, it only has size of image->numcmpts_ which may be less than 3 (it is 2 for the reproducer provided in the upstream report).  This leads to a short buffer over-read.  The value read is used as pointer and dereferenced, leading to invalid (possibly NULL) pointer deference, which is likely to trigger an immediate crash.

A possible fix here is to ensure that there are 3 components before performing the relevant checks.  I'm not sure if fewer than 3 components should always be handled as error when using RGB or YCBCR color spaces, or if fewer components can be used as long as matching cdef data is also provided.

It should be noted that this problem occurs when using the jasper library to convert a specially crafted image into jp2 format.  The problem does not affect the most common use case when the library is only used to read images in the JPEG2000 format.

The issues remains unfixed in the latest upstream version 2.0.16.

Comment 6 Product Security DevOps Team 2020-05-05 10:31:47 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-20570

Comment 7 Tomas Hoger 2020-11-02 20:37:39 UTC
Upstream commit:

https://github.com/jasper-software/jasper/commit/03db7c81f6a8a92d896249bc673877749987fd7a

The issue was fixed upstream in jasper 2.0.17.


Note You need to log in before you can comment on or make changes to this bug.