|
Message-ID: <1528713.C8CqGc87r5@arcadia> Date: Tue, 23 Aug 2016 20:40:27 +0200 From: Agostino Sarubbo <ago@...too.org> To: oss-security@...ts.openwall.com Subject: Fuzzing jasper Hello all, I fuzzed jasper and it revealed some crashes, we know that jasper has no more release(s) since a lot of time, so there are some unfixed vulnerabilities. Based on what I said, I don't know if any of the following crashes have been reported in the past. I know that Jasper clearly state about its capability on the BMP format, so if you think that something is suitable for an identifier, please assign one. Thanks. NOTE: The command used in all cases was: imginfo $CRAFTED_IMAGE 1) THE BMP FORMAT IS NOT FULLY SUPPORTED! THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA. IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD. skipping unknown data in BMP file ASAN:DEADLYSIGNAL ================================================================= ==13574==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000527ec0 bp 0x7ffcf635ce10 sp 0x7ffcf635cae0 T0) #0 0x527ebf in bmp_getdata /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/bmp/bmp_dec.c:383:5 #1 0x527ebf in bmp_decode /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/bmp/bmp_dec.c:190 #2 0x4f79dd in jas_image_decode /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/base/jas_image.c:379:16 #3 0x4f1bda in main /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/appl/imginfo.c:179:16 #4 0x7f3f0ced761f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #5 0x4194c8 in _init (/usr/bin/imginfo+0x4194c8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/bmp/bmp_dec.c:383:5 in bmp_getdata ==13574==ABORTING 2) warning: trailing garbage in marker segment (2 bytes) ASAN:DEADLYSIGNAL ================================================================= ==13576==ERROR: AddressSanitizer: FPE on unknown address 0x00000056de64 (pc 0x00000056de64 bp 0x60200000ed32 sp 0x7ffc1b2ae000 T0) #0 0x56de63 in jpc_dec_process_siz /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/jpc/jpc_dec.c:1195:17 #1 0x57bf9f in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/jpc/jpc_dec.c:390:10 #2 0x57bf9f in jpc_decode /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/jpc/jpc_dec.c:254 #3 0x4f79dd in jas_image_decode /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/base/jas_image.c:379:16 #4 0x4f1bda in main /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/appl/imginfo.c:179:16 #5 0x7f9b0ef8161f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #6 0x4194c8 in _init (/usr/bin/imginfo+0x4194c8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/jpc/jpc_dec.c:1195:17 in jpc_dec_process_siz ==13576==ABORTING 3) warning: trailing garbage in marker segment (5 bytes) ASAN:DEADLYSIGNAL ================================================================= ==13578==ERROR: AddressSanitizer: FPE on unknown address 0x00000056dee4 (pc 0x00000056dee4 bp 0x60200000ed32 sp 0x7ffd7776d2e0 T0) #0 0x56dee3 in jpc_dec_process_siz /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/jpc/jpc_dec.c:1197:18 #1 0x57bf9f in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/jpc/jpc_dec.c:390:10 #2 0x57bf9f in jpc_decode /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/jpc/jpc_dec.c:254 #3 0x4f79dd in jas_image_decode /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/base/jas_image.c:379:16 #4 0x4f1bda in main /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/appl/imginfo.c:179:16 #5 0x7f18d9ef761f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #6 0x4194c8 in _init (/usr/bin/imginfo+0x4194c8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/jpc/jpc_dec.c:1197:18 in jpc_dec_process_siz ==13578==ABORTING 4) Corrupt JPEG data: 1 extraneous bytes before marker 0xc4 ================================================================= ==13591==ERROR: AddressSanitizer: attempting double-free on 0x619000003780 in thread T0: #0 0x4c0710 in free /var/tmp/temp/portage/sys-devel/llvm-3.8.0- r2/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38 #1 0x51f8f8 in mem_close /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/base/jas_stream.c:1073:3 #2 0x511c97 in jas_stream_close /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/base/jas_stream.c:460:2 #3 0x4f528f in jas_image_cmpt_destroy /tmp/portage/media- libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/base/jas_image.c:350:3 #4 0x4f528f in jas_image_cmpt_create /tmp/portage/media- libs/jasper-1.900.1-r9/work/jasper-1.900.1/src/libjasper/base/jas_image.c:340 #5 0x4fbf37 in jas_image_addcmpt /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/base/jas_image.c:676:18 #6 0x62e9b5 in jpg_mkimage /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/jpg/jpg_dec.c:247:7 #7 0x62e9b5 in jpg_decode /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/jpg/jpg_dec.c:171 #8 0x4f79dd in jas_image_decode /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/base/jas_image.c:379:16 #9 0x4f1bda in main /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/appl/imginfo.c:179:16 #10 0x7f2f12fca61f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #11 0x4194c8 in _init (/usr/bin/imginfo+0x4194c8) 0x619000003780 is located 0 bytes inside of 1024-byte region [0x619000003780,0x619000003b80) freed by thread T0 here: #0 0x4c0d98 in realloc /var/tmp/temp/portage/sys-devel/llvm-3.8.0- r2/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:71 #1 0x51eeb2 in mem_resize /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/base/jas_stream.c:989:14 #2 0x51eeb2 in mem_write /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/base/jas_stream.c:1012 previously allocated by thread T0 here: #0 0x4c0a18 in malloc /var/tmp/temp/portage/sys-devel/llvm-3.8.0- r2/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52 #1 0x5111b9 in jas_stream_memopen /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/base/jas_stream.c:215:15 SUMMARY: AddressSanitizer: double-free /var/tmp/temp/portage/sys- devel/llvm-3.8.0-r2/work/llvm-3.8.0.src/projects/compiler- rt/lib/asan/asan_malloc_linux.cc:38 in free ==13591==ABORTING 5) THE BMP FORMAT IS NOT FULLY SUPPORTED! THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA. IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD. skipping unknown data in BMP file ASAN:DEADLYSIGNAL ================================================================= ==13704==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000528253 bp 0x7ffc34880750 sp 0x7ffc34880420 T0) #0 0x528252 in bmp_getdata /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/bmp/bmp_dec.c:385:5 #1 0x528252 in bmp_decode /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/bmp/bmp_dec.c:190 #2 0x4f79dd in jas_image_decode /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/base/jas_image.c:379:16 #3 0x4f1bda in main /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/appl/imginfo.c:179:16 #4 0x7f58cf3a461f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #5 0x4194c8 in _init (/usr/bin/imginfo+0x4194c8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.1- r9/work/jasper-1.900.1/src/libjasper/bmp/bmp_dec.c:385:5 in bmp_getdata ==13704==ABORTING -- Agostino Sarubbo Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.