search

jasper-software / jasper

Official Repository for the JasPer Image Coding Toolkit
http://www.ece.uvic.ca/~mdadams/jasper
Other
223 stars 101 forks source link

Jasper aborted found by fuzzing #183

Closed stuartly closed 4 years ago

stuartly commented 6 years ago 
Bug1:

stly@stly-XPS-8700:~/Desktop/TargetFuzz/Benchmark/VulBenchmark/jasper-2.0.14$ ./installed/bin/jasper -f fuzzing_output/crashes/id\:000000\,sig\:06\,src\:000000\,op\:havoc\,rep\:2 -F 1.jp2 -T jp2
jasper: /home/stly/Desktop/TargetFuzz/Benchmark/VulBenchmark/jasper-2.0.14/src/libjasper/jpc/jpc_math.c:113: int jpc_firstone(int): Assertion `x >= 0' failed.
Aborted

Bug2:

stly@stly-XPS-8700:~/Desktop/TargetFuzz/Benchmark/VulBenchmark/jasper-2.0.14$ ./installed/bin/jasper -f fuzzing_output/crashes/id\:000002\,sig\:06\,src\:000110\,op\:havoc\,rep\:2 -F 1.jp2 -T jp2
jasper: /home/stly/Desktop/TargetFuzz/Benchmark/VulBenchmark/jasper-2.0.14/src/libjasper/jpc/jpc_enc.c:186: uint_fast32_t jpc_abstorelstepsize(jpc_fix_t, int): Assertion `!((expn) & (~0x1f))' failed.
Aborted

Attachment is the POC. POC.tar.gz

MaxKellermann commented 4 years ago

  1. is CVE-2018-9055, see https://github.com/jasper-maint/jasper/issues/9 and https://github.com/mdadams/jasper/issues/172, fixed by https://github.com/jasper-maint/jasper/commit/e6c8d5a838b49f94616be14753aa5c89d64605b5 in our fork

  2. is CVE-2018-9252, see https://github.com/jasper-maint/jasper/issues/16 and https://github.com/mdadams/jasper/issues/173, fixed by https://github.com/jasper-maint/jasper/commit/6cd1e1d8aff56d0d86d4e7d1e7e3e4dd1c64b55d in our fork

jubalh commented 4 years ago

Merged as

  1. e6c8d5a838b49f94616be14753aa5c89d64605b5
  2. 6cd1e1d8aff56d0d86d4e7d1e7e3e4dd1c64b55d