search

jasper-software / jasper

Official Repository for the JasPer Image Coding Toolkit
http://www.ece.uvic.ca/~mdadams/jasper
Other
223 stars 101 forks source link

Segv in `jas_heic_decode`. #383

Closed fdu-sec closed 5 months ago

fdu-sec commented 5 months ago

Summary

when jasper parse a heif file may trigger a segment fault.

Details

Step to reproduce:

# Step 1 : build a libheif with asan
# Step 2: build jasper with libheif
CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" cmake -DCMAKE_INSTALL_PREFIX=`realpath .` -DALLOW_IN_SOURCE_BUILD=1 -DJAS_ENABLE_LIBHEIF=1 -DCMAKE_LIBRARY_PATH=`realpath ../../libheif/build_asan/lib` -DJAS_ENABLE_MULTITHREADING_SUPPORT=0 ..
make -j
./src/app/jasper --enable-all-formats --input poc --output test.jpg

ASAN report:

=================================================================
==3887617==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffff6a7c641 bp 0x7fffffffd8d0 sp 0x7fffffffd8c0 T0)
==3887617==The signal is caused by a READ memory access.
==3887617==Hint: address points to the zero page.
    #0 0x7ffff6a7c640 in std::__shared_ptr<HeifContext::Image, (__gnu_cxx::_Lock_policy)2>::get() const /usr/include/c++/7/bits/shared_ptr_base.h:1258
    #1 0x7ffff6a7fae9 in std::__shared_ptr_access<HeifContext::Image, (__gnu_cxx::_Lock_policy)2, false, false>::_M_get() const /usr/include/c++/7/bits/shared_ptr_base.h:975
    #2 0x7ffff6a7b7d5 in std::__shared_ptr_access<HeifContext::Image, (__gnu_cxx::_Lock_policy)2, false, false>::operator->() const /usr/include/c++/7/bits/shared_ptr_base.h:969
    #3 0x7ffff6a64e00 in heif_decode_image /home//supply/put/jasper_heif/libheif/libheif/heif.cc:1029
    #4 0x7ffff7196988 in jas_heic_decode /home//supply/put/jasper_heif/jasper/src/libjasper/heic/heic_dec.c:222
    #5 0x7ffff710cd5a in jas_image_decode /home//supply/put/jasper_heif/jasper/src/libjasper/base/jas_image.c:445
    #6 0x5555555595f3 in main /home//supply/put/jasper_heif/jasper/src/app/jasper.c:320
    #7 0x7ffff6f04082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #8 0x55555555844d in _start (/home//supply/put/jasper_heif/jasper/build_asan/src/app/jasper+0x444d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/include/c++/7/bits/shared_ptr_base.h:1258 in std::__shared_ptr<HeifContext::Image, (__gnu_cxx::_Lock_policy)2>::get() const
==3887617==ABORTING

Version

jasper : 29154a52b6c2b895ac3db60d51be9f2a995ee145

Code Analysis

// src/libjasper/heic/heic_dec.c
heif_context_get_primary_image_handle(ctx, &handle);

may be need a check for this handle.

POC

poc.zip

mdadams commented 5 months ago

Fixed in JasPer 4.2.4.