NULL pointer dereference was discovered

[YourButterfly]

An issue was discovered in Jasper 2.0.14. There is a NULL pointer dereference at function ras_putdatastd

In file: /home/pwd/fuzz/fuzz-jasper/jenkins/jasper/src/libjasper/ras/ras_enc.c
   259      nz = 0;
   260      for (x = 0; x < hdr->width; x++) {
   261          z <<= hdr->depth;
   262          if (RAS_ISRGB(hdr)) {
   263              v = RAS_RED((jas_matrix_getv(data[0], x))) |
 ► 264                RAS_GREEN((jas_matrix_getv(data[1], x))) |
   265                RAS_BLUE((jas_matrix_getv(data[2], x)));
   266          } else {
   267              v = (jas_matrix_getv(data[0], x));
   268          }
   269          z |= v & RAS_ONES(hdr->depth);

// Program received signal SIGSEGV (fault address 0x28)
// pwndbg> p data[1]
// $16 = (jas_matrix_t *) 0x0
// pwndbg> p data
// $17 = {0x6080000081a0, 0x0, 0x0}

At the site of data define , the value of "numcmpts" is 1

    for (i = 0; i < numcmpts; ++i) {
        if (!(data[i] = jas_matrix_create(jas_image_height(image),
          jas_image_width(image)))) {
            goto error;
        }
    }

command line

./jasper  --input-format jpc --output /dev/null --output-format ras --input poc

poc.zip

[carnil]

CVE-2018-18873 was assigned for this issue.

[apoleon]

The data array contains a NULL pointer. A perhaps too simplistic solution could be to check whether this is the case and then either continue or goto error. At least it mitigates against this issue.

https://gist.github.com/apoleon/eb4e396b510f2bb5a925660dab09be79

[YourButterfly]

cool work @apoleon

[MaxKellermann]

Since this project has been mostly dead for several years, we created a fork which aims to fix all vulnerabilities (of which there are many). This bug will be fixed by https://github.com/jasper-maint/jasper/pull/38 (merge pending)