search

jasper-software / jasper

Official Repository for the JasPer Image Coding Toolkit
http://www.ece.uvic.ca/~mdadams/jasper
Other
223 stars 101 forks source link

jp2_decode() Null Pointer Access #265

Closed dgh05t closed 3 years ago

dgh05t commented 3 years ago

Hi, There's a Null Pointer Access in jp2_decode /home/dgh05t/fuzz/jasper-master/src/libjasper/jp2/jp2_dec.c:442 run the poc with "./jasper -f ~/Desktop/poc2.jp2 --output-format jpg" poc: poc2.zip

thoger commented 3 years ago

It crashes here:

https://github.com/jasper-software/jasper/blob/version-2.0.24/src/libjasper/jp2/jp2_dec.c#L434

It happens on attempt to access dec->image->cmpts_[3], while dec->image->numcmpts_ is 3.

Note that the first version that crashes with this reproducer is 2.0.20, and bisecting changes since 2.0.19 found a4dc77cca1163347d0aa677d56da332c3f119021 as the first affected. It's not immediately obvious if that commit introduces the issue, or if it only makes it it reachable for a particular reproducer.

mdadams commented 3 years ago

@dgh05t @thoger This problem appears to be resolved by the fix for #264. Please give version-2.0.25 a try. If this does not fix the problem for you, let me know, and I can reopen the issue. Incidentally, I added the JP2 files for #264 and #265 to the test suite (as poc_264.jp2 and poc_265.jp2).

utkarsh2102 commented 3 years ago

CVE-2021-26927 has been assigned for this issue.