search

jasper-software / jasper

Official Repository for the JasPer Image Coding Toolkit
http://www.ece.uvic.ca/~mdadams/jasper
Other
223 stars 101 forks source link

Access of Uninitialized Pointer in jpc_enc_cp_destroy #263

Closed zodf0055980 closed 3 years ago

zodf0055980 commented 3 years ago

I build jasper with clang-11 (also an error in clang-9).

Build :

$ cd jasper/build 
$ export CC='clang-11 -fsanitize=address'                                                                                              
$ export CFLAGS='-g'
$ cmake ..
$ make -j 8

poc : poc.zip

reproduce : 

➜  appl git:(master) ✗ ./jasper --input ./poc --output ./test.jp2 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1992==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x00000041cf74 bp 0x000000000000 sp 0x7fff40b140e0 T0)
==1992==The signal is caused by a READ memory access.
==1992==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
    #0 0x41cf74 in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) (/home/yuan/jasper/build-clang/src/appl/jasper+0x41cf74)
    #1 0x495cf1 in free (/home/yuan/jasper/build-clang/src/appl/jasper+0x495cf1)
    #2 0x7fa9cb74496e in jas_free /home/yuan/jasper/src/libjasper/base/jas_malloc.c:255:2
    #3 0x7fa9cb79dcd3 in jpc_enc_cp_destroy /home/yuan/jasper/src/libjasper/jpc/jpc_enc.c:787:4
    #4 0x7fa9cb7947e7 in cp_create /home/yuan/jasper/src/libjasper/jpc/jpc_enc.c:778:3
    #5 0x7fa9cb78ee48 in jpc_encode /home/yuan/jasper/src/libjasper/jpc/jpc_enc.c:287:13
    #6 0x7fa9cb7661c0 in jp2_encode /home/yuan/jasper/src/libjasper/jp2/jp2_enc.c:403:6
    #7 0x7fa9cb737ea2 in jas_image_encode /home/yuan/jasper/src/libjasper/base/jas_image.c:462:33
    #8 0x4c690e in main /home/yuan/jasper/src/appl/jasper.c:276:6
    #9 0x7fa9ca4d7bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x41be79 in _start (/home/yuan/jasper/build-clang/src/appl/jasper+0x41be79)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/yuan/jasper/build-clang/src/appl/jasper+0x41cf74) in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType)
==1992==ABORTING

I also try to use --debug-level. This tries to free error memory

jas_free(0xbebebebebebebebe)
zodf0055980 commented 3 years ago

Oops, I think this is ASAN false positive for free uninitialized cp->tcp.ilyrrates struct.