Reachable assertions in jpc_dec_process_siz() #165

thoger · 2017-12-05T21:14:20Z

The following was reported by @owl337 in Red Hat Bugzilla, but apparently they never reported it upstream, hence re-reporting upstream. There problems were reported separate and with 2 CVEs, but merging those reports to a single upstream ticket as both issues are related. Markdown formatting of this report is mine.

--8<--

CVE-2017-13750
https://bugzilla.redhat.com/show_bug.cgi?id=1485280

Description of problem:

There is a reachable assertion abort in function jpc_dec_process_siz() of JasPer that will lead to remote denial of service attack.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./imginfo -f POC4

Steps to Reproduce:

The output information is as follows:

$ ./imginfo -f POC4
warning: trailing garbage in marker segment (80 bytes)
imginfo: /home/icy/secreal/jasper/src/libjasper/jpc/jpc_dec.c:1296: int jpc_dec_process_siz(jpc_dec_t *, jpc_ms_t *): Assertion `dec->numhtiles >= 0' failed.

The gdb debugging information is listed below:

(gdb) set args POC4
(gdb) r 
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/icy/secreal/jasper/install/bin/imginfo -f fuzz/output/crashes/id:000096,sig:06,src:002236,op:havoc,rep:2
warning: trailing garbage in marker segment (80 bytes)

Breakpoint 4, jpc_dec_process_siz (dec=<optimized out>, ms=<optimized out>)
    at /home/icy/secreal/jasper/src/libjasper/jpc/jpc_dec.c:1296
1296		assert(dec->numhtiles >= 0);
(gdb) n
imginfo: /home/icy/secreal/jasper/src/libjasper/jpc/jpc_dec.c:1296: int jpc_dec_process_siz(jpc_dec_t *, jpc_ms_t *): Assertion `dec->numhtiles >= 0' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff71f8428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff71f8428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff71fa02a in __GI_abort () at abort.c:89
#2  0x00007ffff71f0bd7 in __assert_fail_base (fmt=<optimized out>, 
    assertion=assertion@entry=0x7ffff7bc08c6 "dec->numhtiles >= 0", 
    file=file@entry=0x7ffff7bc02f0 "/home/icy/secreal/jasper/src/libjasper/jpc/jpc_dec.c", 
    line=line@entry=1296, 
    function=function@entry=0x7ffff7bc08da "int jpc_dec_process_siz(jpc_dec_t *, jpc_ms_t *)") at assert.c:92
#3  0x00007ffff71f0c82 in __GI___assert_fail (assertion=0x7ffff7bc08c6 "dec->numhtiles >= 0", 
    file=0x7ffff7bc02f0 "/home/icy/secreal/jasper/src/libjasper/jpc/jpc_dec.c", line=1296, 
    function=0x7ffff7bc08da "int jpc_dec_process_siz(jpc_dec_t *, jpc_ms_t *)") at assert.c:101
#4  0x00007ffff7b464cc in jpc_dec_process_siz (dec=<optimized out>, ms=<optimized out>)
    at /home/icy/secreal/jasper/src/libjasper/jpc/jpc_dec.c:1296
#5  0x00007ffff7b49ceb in jpc_dec_decode (dec=<optimized out>)
    at /home/icy/secreal/jasper/src/libjasper/jpc/jpc_dec.c:424
#6  jpc_decode (in=<optimized out>, optstr=<optimized out>)
    at /home/icy/secreal/jasper/src/libjasper/jpc/jpc_dec.c:261
#7  0x00007ffff7b059ce in jas_image_decode (in=<optimized out>, fmt=<optimized out>, optstr=<optimized out>)
    at /home/icy/secreal/jasper/src/libjasper/base/jas_image.c:442
#8  0x0000000000401bab in main (argc=<optimized out>, argv=<optimized out>)
    at /home/icy/secreal/jasper/src/appl/imginfo.c:238
(gdb)

Trigged in:

Breakpoint 4, jpc_dec_process_siz (dec=<optimized out>, ms=<optimized out>)
    at /home/icy/secreal/jasper/src/libjasper/jpc/jpc_dec.c:1296
1291	
1292		dec->image = 0;
1293	
1294		dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
1295		dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
1296		assert(dec->numhtiles >= 0);
1297		assert(dec->numvtiles >= 0);
1298		if (!jas_safe_size_mul(dec->numhtiles, dec->numvtiles, &size) ||
1299		  size > INT_MAX) {
1300			return -1;

Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Reproducer: POC4.zip

--8<--

CVE-2017-13746
https://bugzilla.redhat.com/show_bug.cgi?id=1485286

Description of problem:

There is a reachable assertion abort in function jpc_dec_process_siz() of JasPer that will lead to remote denial of service attack.

Version-Release number of selected component (if applicable):

<= latest

How reproducible:

./imginfo -f POC8

Steps to Reproduce:

The output information is as follows:

$ ./imginfo -f POC8
imginfo: /home/icy/secreal/jasper/src/libjasper/jpc/jpc_dec.c:1297: int jpc_dec_process_siz(jpc_dec_t *, jpc_ms_t *): Assertion `dec->numvtiles >= 0' failed.
Aborted (core dumped)

The gdb debugging information is listed below:

(gdb) set args POC8
(gdb) r 
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/icy/secreal/jasper/install/bin/imginfo -f fuzz/output/crashes/id:000110,sig:06,src:001265,op:int32,pos:94,val:be:+1000
imginfo: /home/icy/secreal/jasper/src/libjasper/jpc/jpc_dec.c:1297: int jpc_dec_process_siz(jpc_dec_t *, jpc_ms_t *): Assertion `dec->numvtiles >= 0' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff71f8428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt 
#0  0x00007ffff71f8428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff71fa02a in __GI_abort () at abort.c:89
#2  0x00007ffff71f0bd7 in __assert_fail_base (fmt=<optimized out>, 
    assertion=assertion@entry=0x7ffff7bc090b "dec->numvtiles >= 0", 
    file=file@entry=0x7ffff7bc02f0 "/home/icy/secreal/jasper/src/libjasper/jpc/jpc_dec.c", 
    line=line@entry=1297, 
    function=function@entry=0x7ffff7bc08da "int jpc_dec_process_siz(jpc_dec_t *, jpc_ms_t *)") at assert.c:92
#3  0x00007ffff71f0c82 in __GI___assert_fail (assertion=0x7ffff7bc090b "dec->numvtiles >= 0", 
    file=0x7ffff7bc02f0 "/home/icy/secreal/jasper/src/libjasper/jpc/jpc_dec.c", line=1297, 
    function=0x7ffff7bc08da "int jpc_dec_process_siz(jpc_dec_t *, jpc_ms_t *)") at assert.c:101
#4  0x00007ffff7b46502 in jpc_dec_process_siz (dec=<optimized out>, ms=<optimized out>)
    at /home/icy/secreal/jasper/src/libjasper/jpc/jpc_dec.c:1297
#5  0x00007ffff7b49ceb in jpc_dec_decode (dec=<optimized out>)
    at /home/icy/secreal/jasper/src/libjasper/jpc/jpc_dec.c:424
#6  jpc_decode (in=<optimized out>, optstr=<optimized out>)
    at /home/icy/secreal/jasper/src/libjasper/jpc/jpc_dec.c:261
#7  0x00007ffff7b2d030 in jp2_decode (in=<optimized out>, optstr=<optimized out>)
    at /home/icy/secreal/jasper/src/libjasper/jp2/jp2_dec.c:218
#8  0x00007ffff7b059ce in jas_image_decode (in=<optimized out>, fmt=<optimized out>, optstr=<optimized out>)
    at /home/icy/secreal/jasper/src/libjasper/base/jas_image.c:442
---Type <return> to continue, or q <return> to quit--- 
#9  0x0000000000401bab in main (argc=<optimized out>, argv=<optimized out>)
    at /home/icy/secreal/jasper/src/appl/imginfo.c:238

Trigged in:

Breakpoint 4, jpc_dec_process_siz (dec=<optimized out>, ms=<optimized out>)
    at /home/icy/secreal/jasper/src/libjasper/jpc/jpc_dec.c:1297
1291	
1292		dec->image = 0;
1293	
1294		dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
1295		dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
1296		assert(dec->numhtiles >= 0);
1297		assert(dec->numvtiles >= 0);
1298		if (!jas_safe_size_mul(dec->numhtiles, dec->numvtiles, &size) ||
1299		  size > INT_MAX) {
1300			return -1;

Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Reproducer: POC8.zip

--8<--

The text was updated successfully, but these errors were encountered:

thoger · 2017-12-05T21:15:45Z

Note that the two assert()s triggered be these reproducers were introduced in Jasper version 2.0.12 via a712a20.

MaxKellermann · 2020-06-30T12:35:15Z

This vulnerability has been fixed in our fork: https://github.com/jasper-maint/jasper/

thoger mentioned this issue May 29, 2018

jasper crashes -- assertion failure #174

Closed

jubalh closed this as completed in 1b1c591 Jul 28, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Reachable assertions in jpc_dec_process_siz() #165

Reachable assertions in jpc_dec_process_siz() #165

thoger commented Dec 5, 2017

thoger commented Dec 5, 2017

MaxKellermann commented Jun 30, 2020

Reachable assertions in jpc_dec_process_siz() #165

Reachable assertions in jpc_dec_process_siz() #165

Comments

thoger commented Dec 5, 2017

thoger commented Dec 5, 2017

MaxKellermann commented Jun 30, 2020