Closed wuk0n9 closed 4 years ago
After applying my patches I cannot reproduce this issue anymore. See
This problem is in the following code:
https://github.com/mdadams/jasper/blob/version-2.0.16/src/libjasper/jp2/jp2_enc.c#L294-L312
That code accesses image->cmpts_[]
array (via the jas_image_cmpttype()
macro) at indices 0, 1, and 2 even in cases when that array is smaller (when image->numcmpts_
is less than 3, it's 2 for this reproducer).
I'm not sure if image->numcmpts_ < 3
should always be considered as error for JAS_CLRSPC_FAM_RGB
and JAS_CLRSPC_FAM_YCBCR
color spaces, or if processing should continue by requiring CDEF. I.e. if it's sufficient to change those checks to:
if (jas_image_numcmpts(image) >= 3 &&
jas_image_cmpttype(image, 0) ==
JAS_IMAGE_CT_COLOR(JAS_CLRSPC_CHANIND_RGB_R) &&
...
Since this project has been mostly dead for several years, we created a fork which aims to fix all vulnerabilities (of which there are many). This bug will be fixed by https://github.com/jasper-maint/jasper/pull/38 (merge pending)
A crafted input will lead to heap buffer overflow failed in jp2_enc.c:309 at jasper version-2.0.14 and master branch
Triggered by ./jasper --output /dev/null --output-format jp2 --input ./crashes/poc
Poc poc.zip
The ASAN information is as follows:
FoundBy: wu.an.1900@gmail.com