Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

The "jpc_streamlist_remove" function in "src/libjasper/jpc/jpc_dec.c:2407" in Jasper 4.2.2 has an assertion failure vulnerability. #381

Closed
Arbusz opened this issue Mar 29, 2024 · 4 comments
Closed

The "jpc_streamlist_remove" function in "src/libjasper/jpc/jpc_dec.c:2407" in Jasper 4.2.2 has an assertion failure vulnerability. #381

Arbusz opened this issue Mar 29, 2024 · 4 comments

Comments

@Arbusz
Copy link

Arbusz commented Mar 29, 2024

Hi, we found one crash in jasper(libjasper 4.2.2), which is the latest version.
To assist in diagnosing and resolving these issues, we have attached the POC file along with the gdb log.

Environment:
Linux 4f6b99b5cf37 6.2.0-35-generic #\35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct 6 10:23:26 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Command and args:

./jasper --input-format png --input-option verbose=true --output-format jp2 --output-option quality=90 --input poc --output /tmp/file0.jp2

gdb log:

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7b72859 in __GI_abort () at abort.c:79
#2  0x00007ffff7b72729 in __assert_fail_base (fmt=0x7ffff7d08588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x4604ac "streamno < streamlist->numstreams", file=0x46012c "/root/programs_rq5/jasper-4.2.2/src/libjasper/jpc/jpc_dec.c", line=2407, function=<optimized out>) at assert.c:92
#3  0x00007ffff7b83fd6 in __GI___assert_fail (assertion=0x4604ac "streamno < streamlist->numstreams", file=0x46012c "/root/programs_rq5/jasper-4.2.2/src/libjasper/jpc/jpc_dec.c", line=2407, function=0x4604ce "jas_stream_t *jpc_streamlist_remove(jpc_streamlist_t *, unsigned int)") at assert.c:101
#4  0x0000000000425fb2 in jpc_streamlist_remove (streamlist=0x4a0180, streamno=0) at /root/programs_rq5/jasper-4.2.2/src/libjasper/jpc/jpc_dec.c:2407
#5  0x000000000042275f in jpc_dec_process_sod (dec=0x49f100, ms=0x49f220) at /root/programs_rq5/jasper-4.2.2/src/libjasper/jpc/jpc_dec.c:614
#6  0x0000000000421e21 in jpc_dec_decode (dec=0x49f100) at /root/programs_rq5/jasper-4.2.2/src/libjasper/jpc/jpc_dec.c:434
#7  0x00000000004217fe in jpc_decode (in=0x49adf0, optstr=0x497390 "verbose=true") at /root/programs_rq5/jasper-4.2.2/src/libjasper/jpc/jpc_dec.c:270
#8  0x000000000040e041 in jas_image_decode (in=0x49adf0, fmt=4, optstr=0x497390 "verbose=true") at /root/programs_rq5/jasper-4.2.2/src/libjasper/base/jas_image.c:445
#9  0x0000000000402dc2 in main (argc=13, argv=0x7fffffffe458) at /root/programs_rq5/jasper-4.2.2/src/app/jasper.c:320

jasper_poc.zip
@mdadams
Copy link
Collaborator

mdadams commented Mar 29, 2024

@Arbusz The bug has been fixed on the master branch. If you get a CVE for this, please post it here so I can document that it has been fixed.

@Arbusz
Copy link
Author

Arbusz commented Apr 1, 2024

Thank you for your swift response to our inquiries.

Credit: Dawei Wang and Geng Zhou, from Zhongguancun Laboratory.

@Arbusz
Copy link
Author

Arbusz commented Apr 10, 2024

It‘s CVE-2024-31744.

@mdadams
Copy link
Collaborator

mdadams commented Apr 10, 2024

@Arbusz Thanks. I added the CVE to the NEWS file.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mdadams @Arbusz