oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

jasper: signed integer overflow in jas_image.c

From: Agostino Sarubbo <ago () gentoo org>
Date: Sat, 19 Nov 2016 15:47:14 +0100
If suitable for a CVE please assign one. Thanks.

Description:
jasper is an open-source initiative to provide a free software-based reference 
implementation of the codec specified in the JPEG-2000 Part-1 standard.

The undefined behavior sanitizer shows a signed integer overflow in 
jas_image.c
As you can see, the commit which fixes the issue is not a fix itself for the 
signed integer overflow, but changed a bit how, in jasper, the things work.

The complete UBSan output:

# imginfo -f $FILE
/tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/base/jas_image.c:162:49: 
runtime error: signed integer overflow: 8543608947741818625 * 15 cannot be 
represented in type 'long'

Affected version:
1.900.17

Fixed version:
1.900.25

Commit fix:
https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00020-jasper-signedintoverflow-jas_image_c

Timeline:
2016-10-29: bug discovered and reported to upstream
2016-11-12: upstream released a patch and 1.900.25
2016-11-19: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2016/11/19/jasper-signed-integer-overflow-in-jas_image-c

-- 
Agostino Sarubbo
Gentoo Linux Developer
Previous By Date Next
Previous By Thread Next

Current thread: