Closed dgh05t closed 3 years ago
It crashes here:
https://github.com/jasper-software/jasper/blob/version-2.0.24/src/libjasper/jp2/jp2_dec.c#L434
It happens on attempt to access dec->image->cmpts_[3]
, while dec->image->numcmpts_
is 3.
Note that the first version that crashes with this reproducer is 2.0.20, and bisecting changes since 2.0.19 found a4dc77cca1163347d0aa677d56da332c3f119021 as the first affected. It's not immediately obvious if that commit introduces the issue, or if it only makes it it reachable for a particular reproducer.
@dgh05t @thoger This problem appears to be resolved by the fix for #264. Please give version-2.0.25 a try. If this does not fix the problem for you, let me know, and I can reopen the issue. Incidentally, I added the JP2 files for #264 and #265 to the test suite (as poc_264.jp2 and poc_265.jp2).
CVE-2021-26927 has been assigned for this issue.
Hi, There's a Null Pointer Access in
jp2_decode /home/dgh05t/fuzz/jasper-master/src/libjasper/jp2/jp2_dec.c:442
run the poc with"./jasper -f ~/Desktop/poc2.jp2 --output-format jpg"
poc: poc2.zip