search

jasper-software / jasper

Official Repository for the JasPer Image Coding Toolkit
http://www.ece.uvic.ca/~mdadams/jasper
Other
223 stars 101 forks source link

The "jpc_streamlist_remove" function in "src/libjasper/jpc/jpc_dec.c:2407" in Jasper 4.2.2 has an assertion failure vulnerability. #381

Closed Arbusz closed 6 months ago

Arbusz commented 6 months ago

Hi, we found one crash in jasper(libjasper 4.2.2), which is the latest version. To assist in diagnosing and resolving these issues, we have attached the POC file along with the gdb log.

Environment: Linux 4f6b99b5cf37 6.2.0-35-generic #\35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct 6 10:23:26 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Command and args:

./jasper --input-format png --input-option verbose=true --output-format jp2 --output-option quality=90 --input poc --output /tmp/file0.jp2

gdb log:

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7b72859 in __GI_abort () at abort.c:79
#2  0x00007ffff7b72729 in __assert_fail_base (fmt=0x7ffff7d08588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x4604ac "streamno < streamlist->numstreams", file=0x46012c "/root/programs_rq5/jasper-4.2.2/src/libjasper/jpc/jpc_dec.c", line=2407, function=<optimized out>) at assert.c:92
#3  0x00007ffff7b83fd6 in __GI___assert_fail (assertion=0x4604ac "streamno < streamlist->numstreams", file=0x46012c "/root/programs_rq5/jasper-4.2.2/src/libjasper/jpc/jpc_dec.c", line=2407, function=0x4604ce "jas_stream_t *jpc_streamlist_remove(jpc_streamlist_t *, unsigned int)") at assert.c:101
#4  0x0000000000425fb2 in jpc_streamlist_remove (streamlist=0x4a0180, streamno=0) at /root/programs_rq5/jasper-4.2.2/src/libjasper/jpc/jpc_dec.c:2407
#5  0x000000000042275f in jpc_dec_process_sod (dec=0x49f100, ms=0x49f220) at /root/programs_rq5/jasper-4.2.2/src/libjasper/jpc/jpc_dec.c:614
#6  0x0000000000421e21 in jpc_dec_decode (dec=0x49f100) at /root/programs_rq5/jasper-4.2.2/src/libjasper/jpc/jpc_dec.c:434
#7  0x00000000004217fe in jpc_decode (in=0x49adf0, optstr=0x497390 "verbose=true") at /root/programs_rq5/jasper-4.2.2/src/libjasper/jpc/jpc_dec.c:270
#8  0x000000000040e041 in jas_image_decode (in=0x49adf0, fmt=4, optstr=0x497390 "verbose=true") at /root/programs_rq5/jasper-4.2.2/src/libjasper/base/jas_image.c:445
#9  0x0000000000402dc2 in main (argc=13, argv=0x7fffffffe458) at /root/programs_rq5/jasper-4.2.2/src/app/jasper.c:320

jasper_poc.zip

mdadams commented 6 months ago

@Arbusz The bug has been fixed on the master branch. If you get a CVE for this, please post it here so I can document that it has been fixed.

Arbusz commented 6 months ago

Thank you for your swift response to our inquiries.

Credit: Dawei Wang and Geng Zhou, from Zhongguancun Laboratory.

Arbusz commented 5 months ago

It‘s CVE-2024-31744.

mdadams commented 5 months ago

@Arbusz Thanks. I added the CVE to the NEWS file.