search

jasper-software / jasper

Official Repository for the JasPer Image Coding Toolkit
http://www.ece.uvic.ca/~mdadams/jasper
Other
223 stars 101 forks source link

Invalid memory write in jas_icc.c:1333:23 #367

Closed pip-izony closed 9 months ago

pip-izony commented 9 months ago

Environment

Ubuntu 22.04.3 LTS

Compiler

clang version 11.0.0 Target: x86_64-unknown-linux-gnu Thread model: posix

Affected Version

jasper 4.1.1

Step to reproduce

pushd jasper
mkdir builds
mkdir install
export SOURCE_DIR=$PWD
export INSTALL_DIR=$SOURCE_DIR/install
export BUILD_DIR=$SOURCE_DIR/builds
cmake -H$SOURCE_DIR -B$BUILD_DIR -DCMAKE_INSTALL_PREFIX=$INSTALL_DIR -DJAS_ENABLE_SHARED=false
cmake --build $BUILD_DIR --target install

pushd builds/src/app
./jasper -f <PoCfile> -T jp2

Contents of PoCfile

Unzip the file below.

PoC.zip

Expected behavior

Print error or warning messages handled within jasper.

Current behavior

warning: skipping unknown tag type
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1700826==ERROR: AddressSanitizer: SEGV on unknown address 0x6041000022ef (pc 0x00000054868c bp 0x0c220000014f sp 0x7ffc39e39f40 T0)
==1700826==The signal is caused by a WRITE memory access.
    #0 0x54868c in jas_icctxt_input /home/Desktop/work_space/jasper/src/libjasper/base/jas_icc.c:1333:23
    #1 0x5362da in jas_iccprof_load /home/Desktop/work_space/asper/src/libjasper/base/jas_icc.c:404:7
    #2 0x5411ce in jas_iccprof_createfrombuf /home/Desktop/work_space/jasper/src/libjasper/base/jas_icc.c:1870:15
    #3 0x5c97f5 in jp2_decode /home/Desktop/work_space/jasper/src/libjasper/jp2/jp2_dec.c:312:13
    #4 0x56251b in jas_image_decode /home/Desktop/work_space/jasper/src/libjasper/base/jas_image.c:445:16
    #5 0x4fc883 in main /home/Desktop/work_space/jasper/src/app/jasper.c:320:16
    #6 0x7f7e97629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7f7e97629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #8 0x41f664 in _start (/home/Desktop/work_space/jasper/builds/src/app/jasper+0x41f664)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/Desktop/work_space/jasper/src/libjasper/base/jas_icc.c:1333:23 in jas_icctxt_input
==1700826==ABORTING
jubalh commented 9 months ago

@mdadams Thanks for handling this so fast!

Fix confirmed:

jasper -f PoC -T jp2
warning: skipping unknown tag type
error: failed to parse ICC profile
jas_image_decode: decode operation failed
error: cannot load image data
jubalh commented 9 months ago

@pip-izony did you request a CVE for this, or do you plan to request one? Otherwise we'll do that.

pip-izony commented 9 months ago

@pip-izony did you request a CVE for this, or do you plan to request one? Otherwise we'll do that.

I want to report it to CVE. But if you reported this bug, do I have something to do?

jubalh commented 9 months ago

I want to report it to CVE.

Ok, then I'll wait :) Please comment the assigned CVE here once you have it.

If you report this bug, do I need to do it myself?

I didn't do it yet. I thought I'll ask you first whether you prefer to do it yourself.

pip-izony commented 9 months ago

Ok then I will report the bug. Thank you for your reply:)

pip-izony commented 9 months ago

This issue has been assigned CVE-2023-51257

uvic-frodo commented 8 months ago

@jubalh I updated the NEWS file to mention this CVE.

L1-0 commented 8 months ago

Could you add further info of the impact this bug has? Is there a possibility to leverage this into a RCE condition?

jubalh commented 8 months ago

Could you add further info of the impact this bug has? Is there a possibility to leverage this into a RCE condition?

This is a task for security researchers. We are upstream writing and maintaining an image library.

Affected people can update to the latest version. Distributions already started backporting the fix into released versions.