oss-sec mailing list archives
jasper: signed integer overflow in jas_image.c
From: Agostino Sarubbo <ago () gentoo org>
Date: Sat, 19 Nov 2016 15:47:14 +0100
If suitable for a CVE please assign one. Thanks. Description: jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard. The undefined behavior sanitizer shows a signed integer overflow in jas_image.c As you can see, the commit which fixes the issue is not a fix itself for the signed integer overflow, but changed a bit how, in jasper, the things work. The complete UBSan output: # imginfo -f $FILE /tmp/portage/media- libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/base/jas_image.c:162:49: runtime error: signed integer overflow: 8543608947741818625 * 15 cannot be represented in type 'long' Affected version: 1.900.17 Fixed version: 1.900.25 Commit fix: https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00020-jasper-signedintoverflow-jas_image_c Timeline: 2016-10-29: bug discovered and reported to upstream 2016-11-12: upstream released a patch and 1.900.25 2016-11-19: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2016/11/19/jasper-signed-integer-overflow-in-jas_image-c -- Agostino Sarubbo Gentoo Linux Developer
Current thread:
- jasper: signed integer overflow in jas_image.c Agostino Sarubbo (Nov 19)
- Re: jasper: signed integer overflow in jas_image.c cve-assign (Nov 22)