jasper-software / jasper Goto Github PK

Official Repository for the JasPer Image Coding Toolkit

Home Page: http://www.ece.uvic.ca/~mdadams/jasper

License: Other

C 88.45% Shell 8.35% CMake 2.87% Batchfile 0.11% Roff 0.21% C++ 0.01%

c cross-platform image-coding image-processing jpeg2000 library pnm reference-implementation toolkit multithreading-support

jasper's Introduction

JasPer Image Processing/Coding Tool Kit

This is the source distribution for JasPer. JasPer is a collection of software (i.e., a library and application programs) for the coding and manipulation of images. This software can handle image data in a variety of formats. One such format supported by JasPer is the JPEG-2000 format defined in ISO/IEC 15444-1.

The complete licensing terms for the JasPer software can be found in the file named "LICENSE.txt" in the top level directory of this software distribution. Any use of this software contrary to the terms of the license is strictly prohibited. Recent changes made to the software can be found in the file "ChangeLog". Detailed documentation on the JasPer software can be found in the JasPer Software Reference Manual. This manual is located in the "doc" directory, and includes useful information such as:

how to build, install, and use the software,
how to submit report bugs, and
where to find additional information about the software.

The official web site for the JasPer software has the following URL:

https://jasper-software.github.io/jasper

The official Git repository for the JasPer software is hosted by GitHub. The URL for the GitHub site is as follows:

https://github.com/jasper-software/jasper

The Git repository can be accessed via the URL:

https://github.com/jasper-software/jasper.git

Information on how to install this software can be found in the file INSTALL.txt.

The reference manual for this software can be found in the directory doc. The manual is provided in two formats:

HTML format in the directory doc/html (Open the file doc/html/index.html in your web browser.)
PDF format in doc/manual.pdf

The reference manual for the JasPer software is also available online at:

https://jasper-software.github.io/jasper-manual

A detailed introduction to the JPEG-2000 standard can be found in:

doc/jpeg2000.pdf

All bug reports should be submitted via the issue-tracking system provided by GitHub. To submit a bug report, go the following URL and click on the "New issue" button:

https://github.com/jasper-software/jasper/issues

Please do not submit bug reports via email, as bug reports that are not submitted via the above issue-tracking system on GitHub may be lost.

jasper's People

Contributors

Stargazers

Watchers

Forkers

jpopelka grahamc dlemstra nagyistge jmroot jasonp2k3 gongchensz gagern renyu310 tsondergaard baruchsiach xantares yueyihua ahnan4arch bgrevelt elverde cybersys tonytheodore nrusch raddist windkit hunter-packages dylancao jowolf did-g yadykin yxliang jiapei100 ugiwgh letiendat96 butterflyhack rshariffdeen buckaroo-pm jubalh zhenxian-hu ronnyzhao sahwar kikoucalou ortalby externpro duylnk68 jhgit anzq001 xiaoshzx spaceim sabarbosac andywood osamu620 maxkellermann pkl97 theta682 uvic-frodo happyfacade zma35 jamaika1 alex gerhobbelt yeigensatz hixio-mh auscanaoy tanxuejin dionerolf gedefili preethamsh tiedaoxiaotubie rnshah9 lokeshkalamalla ennamarie19 moshemeidan martchus baptistapedro baronren xiaoxiaoafeifei shubhvj tanysky longervision uilianries eemmanuel7 dongqi-dq chenxiuyi kmilos mashengcai jpalus hexagon-htc longsy316 indiasucks excloudx6 webstorage119 sysfce2 wklimeck hydrogencl lazka thesamesam superman-happy dearborn-open-ai scantist-ossops-m2 snafi99 fdu-sec mizzrym1 aspirantioner

jasper's Issues

Assertion failure in ras_getcmap

On 1.1900.13:

/tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/ras/ras_dec.c:330: int ras_getcmap(jas_stream_t *, ras_hdr_t *, ras_cmap_t *): Assertion `numcolors <= 256' failed.

Testcase: https://github.com/asarubbo/poc/blob/master/00005-jasper-assert-ras_getcmap

segfault / null pointer access in imginfo on malformed mif

This malformed mif file will segfault imginfo. Found with afl.
nullptr.zip

Stack trace:

==5092==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004f244a bp 0x60700000dfb0 sp 0x7ffe0d1dfbb0 T0)
    #0 0x4f2449 in main /f/jasper/jasper/src/appl/imginfo.c:198:10
    #1 0x7f2d67e4078f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #2 0x4195d8 in _start (/r/jasper/imginfo+0x4195d8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /f/jasper/jasper/src/appl/imginfo.c:198:10 in main
==5092==ABORTING

Assertion failure in jpc_iict

On 1.900.13:

type = 0xff76 (UNKNOWN); len = 20;10 40 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 imginfo: /tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/jpc/jpc_mct.c:233: void jpc_iict(jas_matrix_t *, jas_matrix_t *, jas_matrix_t *): Assertion `((c1)->numcols_) == numcols && ((c2)->numcols_) == numcols' failed.

Testcase: https://github.com/asarubbo/poc/blob/master/00008-jasper-assert-jpc_iict

Assertion failure in jpc_bitstream_getbits

On 1.900.13:

type = 0xff05 (UNKNOWN); len = 20;01 40 40 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 imginfo: /tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/jpc/jpc_bs.c:197: long jpc_bitstream_getbits(jpc_bitstream_t *, int): Assertion `n >= 0 && n < 32' failed.

Testcase: https://github.com/asarubbo/poc/blob/master/00014-jasper-assert-jpc_bitstream_getbits

NULL pointer dereference in jp2_colr_destroy (jp2_cod.c)

On 1.900.5 I get a segfault.

Stacktrace:

# imginfo -f $FILE
cannot copy box data                                                                                                                                                                                                                                                           
ASAN:DEADLYSIGNAL                                                                                                                                                                                                                                                              
=================================================================                                                                                                                                                                                                              
==19664==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000041defd bp 0xbebebebebebebebe sp 0x7ffc50768570 T0)                                                                                                                                        
    #0 0x41defc in atomic_compare_exchange_strong<__sanitizer::atomic_uint8_t> /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81                                                      
    #1 0x41defc in __asan::Allocator::AtomicallySetQuarantineFlag(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:465                                
    #2 0x41defc in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:525                                   
    #3 0x41defc in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:709                                                              
    #4 0x4c008c in free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:41                                                                                                                                     
    #5 0x7f8dcb5bc940 in jp2_colr_destroy /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_cod.c:443:3                                                                                                                                         
    #6 0x7f8dcb5c1f69 in jp2_box_destroy /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_cod.c:211:3                                                                                                                                          
    #7 0x7f8dcb5c1f69 in jp2_box_get /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_cod.c:307                                                                                                                                                
    #8 0x7f8dcb5c5dc0 in jp2_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_dec.c:156:16                                                                                                                                              
    #9 0x7f8dcb556f39 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_image.c:380:16                                                                                                                                     
    #10 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/appl/imginfo.c:188:16                                                                                                                                                                  
    #11 0x7f8dca66561f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                       
    #12 0x418e68 in _init (/usr/bin/imginfo+0x418e68)                                                                                                                                                                                                                          

AddressSanitizer can not provide additional info.                                                                                                                                                                                                                              
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 in atomic_compare_exchange_strong<__sanitizer::atomic_uint8_t>                                      
==19664==ABORTING

Testcase:
8.crashes.zip

Memory allocate failure in jas_malloc (jas_malloc.c)

I get a memory allocate failure on 1.900.5

Stacktrace:

# imginfo -f $FILE
THE BMP FORMAT IS NOT FULLY SUPPORTED!                                                                                                                                                                                                                                         
THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.                                                                                                                                                                                                              
IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA                                                                                                                                                                                                                
TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.                                                                                                                                                                                                                              
==18943==ERROR: AddressSanitizer failed to allocate 0x1000002000 (68719484928) bytes of LargeMmapAllocator (error code: 12)                                                                                                                                                    
==18943==Process memory map follows:                                                                                                                                                                                                                                           
        0x000000400000-0x000000520000   /usr/bin/imginfo                                                                                                                                                                                                                       
        0x00000071f000-0x000000720000   /usr/bin/imginfo                                                                                                                                                                                                                       
        0x000000720000-0x000000724000   /usr/bin/imginfo                                                                                                                                                                                                                       
        0x000000724000-0x0000013a6000                                                                                                                                                                                                                                          
        0x00007fff7000-0x00008fff7000                                                                                                                                                                                                                                          
        0x00008fff7000-0x02008fff7000                                                                                                                                                                                                                                          
        0x02008fff7000-0x10007fff8000                                                                                                                                                                                                                                          
        0x600000000000-0x602000000000                                                                                                                                                                                                                                          
        0x602000000000-0x602000010000                                                                                                                                                                                                                                          
        0x602000010000-0x603000000000                                                                                                                                                                                                                                          
        0x603000000000-0x603000010000                                                                                                                                                                                                                                          
        0x603000010000-0x604000000000                                                                                                                                                                                                                                          
        0x604000000000-0x604000010000                                                                                                                                                                                                                                          
        0x604000010000-0x606000000000                                                                                                                                                                                                                                          
        0x606000000000-0x606000010000                                                                                                                                                                                                                                          
        0x606000010000-0x60b000000000                                                                                                                                                                                                                                          
        0x60b000000000-0x60b000010000                                                                                                                                                                                                                                          
        0x60b000010000-0x619000000000                                                                                                                                                                                                                                          
        0x619000000000-0x619000020000                                                                                                                                                                                                                                          
        0x619000020000-0x625000000000                                                                                                                                                                                                                                          
        0x625000000000-0x625000020000                                                                                                                                                                                                                                          
        0x625000020000-0x640000000000                                                                                                                                                                                                                                          
        0x640000000000-0x640000003000                                                                                                                                                                                                                                          
        0x7f4f00738000-0x7f4f03593000                                                                                                                                                                                                                                          
        0x7f4f03593000-0x7f4f035fc000   /usr/lib64/libjpeg.so.62.2.0                                                                                                                                                                                                           
        0x7f4f035fc000-0x7f4f037fb000   /usr/lib64/libjpeg.so.62.2.0                                                                                                                                                                                                           
        0x7f4f037fb000-0x7f4f037fc000   /usr/lib64/libjpeg.so.62.2.0                                                                                                                                                                                                           
        0x7f4f037fc000-0x7f4f037fd000   /usr/lib64/libjpeg.so.62.2.0                                                                                                                                                                                                           
        0x7f4f037fd000-0x7f4f03990000   /lib64/libc-2.22.so                                                                                                                                                                                                                    
        0x7f4f03990000-0x7f4f03b90000   /lib64/libc-2.22.so                                                                                                                                                                                                                    
        0x7f4f03b90000-0x7f4f03b94000   /lib64/libc-2.22.so                                                                                                                                                                                                                    
        0x7f4f03b94000-0x7f4f03b96000   /lib64/libc-2.22.so                                                                                                                                                                                                                    
        0x7f4f03b96000-0x7f4f03b9a000                                                                                                                                                                                                                                          
        0x7f4f03b9a000-0x7f4f03bb0000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1                                                                                                                                                                                 
        0x7f4f03bb0000-0x7f4f03daf000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1                                                                                                                                                                                 
        0x7f4f03daf000-0x7f4f03db0000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1                                                                                                                                                                                 
        0x7f4f03db0000-0x7f4f03db1000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1                                                                                                                                                                                 
        0x7f4f03db1000-0x7f4f03db3000   /lib64/libdl-2.22.so
        0x7f4f03db3000-0x7f4f03fb3000   /lib64/libdl-2.22.so
        0x7f4f03fb3000-0x7f4f03fb4000   /lib64/libdl-2.22.so
        0x7f4f03fb4000-0x7f4f03fb5000   /lib64/libdl-2.22.so
        0x7f4f03fb5000-0x7f4f03fbb000   /lib64/librt-2.22.so
        0x7f4f03fbb000-0x7f4f041bb000   /lib64/librt-2.22.so
        0x7f4f041bb000-0x7f4f041bc000   /lib64/librt-2.22.so
        0x7f4f041bc000-0x7f4f041bd000   /lib64/librt-2.22.so
        0x7f4f041bd000-0x7f4f041d4000   /lib64/libpthread-2.22.so
        0x7f4f041d4000-0x7f4f043d3000   /lib64/libpthread-2.22.so
        0x7f4f043d3000-0x7f4f043d4000   /lib64/libpthread-2.22.so
        0x7f4f043d4000-0x7f4f043d5000   /lib64/libpthread-2.22.so
        0x7f4f043d5000-0x7f4f043d9000
        0x7f4f043d9000-0x7f4f044d6000   /lib64/libm-2.22.so
        0x7f4f044d6000-0x7f4f046d5000   /lib64/libm-2.22.so
        0x7f4f046d5000-0x7f4f046d6000   /lib64/libm-2.22.so
        0x7f4f046d6000-0x7f4f046d7000   /lib64/libm-2.22.so
        0x7f4f046d7000-0x7f4f04891000   /usr/lib64/libjasper.so.1.0.0
        0x7f4f04891000-0x7f4f04a90000   /usr/lib64/libjasper.so.1.0.0
        0x7f4f04a90000-0x7f4f04a94000   /usr/lib64/libjasper.so.1.0.0
        0x7f4f04a94000-0x7f4f04aa3000   /usr/lib64/libjasper.so.1.0.0
        0x7f4f04aa3000-0x7f4f04aac000
        0x7f4f04aac000-0x7f4f04ace000   /lib64/ld-2.22.so
        0x7f4f04c67000-0x7f4f04cc2000
        0x7f4f04cc2000-0x7f4f04ccd000
        0x7f4f04ccd000-0x7f4f04cce000   /lib64/ld-2.22.so
        0x7f4f04cce000-0x7f4f04ccf000   /lib64/ld-2.22.so
        0x7f4f04ccf000-0x7f4f04cd0000
        0x7ffeaeaca000-0x7ffeaeaeb000   [stack]
        0x7ffeaeb8a000-0x7ffeaeb8c000   [vvar]
        0x7ffeaeb8c000-0x7ffeaeb8e000   [vdso]
        0xffffffffff600000-0xffffffffff601000   [vsyscall]
==18943==End of process memory map.
==18943==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4c9ccd in AsanCheckFailed /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67
    #1 0x4d0803 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159
    #2 0x4d09f1 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183
    #3 0x4d9a2a in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:122
    #4 0x421dbf in __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033
    #5 0x421dbf in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap<17ul, 128ul, 16ul>, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap<17ul, 128ul, 16ul>, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback> >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap<17ul, 128ul, 16ul>, __asan::AsanMapUnmapCallback> >*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302
    #6 0x421dbf in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368
    #7 0x421dbf in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718
    #8 0x4c0391 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53
    #9 0x7f4f0474e170 in jas_malloc /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_malloc.c:117:9
    #10 0x7f4f0474e170 in jas_alloc2 /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_malloc.c:141
    #11 0x7f4f04764b4f in bmp_getinfo /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:297:25
    #12 0x7f4f04764b4f in bmp_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:132
    #13 0x7f4f0470ef39 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_image.c:380:16
    #14 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/appl/imginfo.c:188:16
    #15 0x7f4f0381d61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #16 0x418e68 in _init (/usr/bin/imginfo+0x418e68)

Testcase:
2.crashes.zip

Heap Buffer Overflow (READ of size 4) in jpc_pi_nextrpcl()

Fuzzing the imginfo example tool with AFL, I came across a test case that triggers a heap buffer overflow.

The ASAN report is as follows:

==14266==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e090 at pc 0x7fee9630e0f2 bp 0x7ffd4a9ae990 sp 0x7ffd4a9ae988
READ of size 4 at 0x60200000e090 thread T0
#0 0x7fee9630e0f1 in jpc_pi_nextrpcl /home/spotless/jasper/jasper/src/libjasper/jpc/jpc_t2cod.c:301:25
#1 0x7fee9630e0f1 in jpc_pi_next /home/spotless/jasper/jasper/src/libjasper/jpc/jpc_t2cod.c:119
#2 0x7fee963112b5 in jpc_dec_decodepkts /home/spotless/jasper/jasper/src/libjasper/jpc/jpc_t2dec.c:441:14
#3 0x7fee96275dbe in jpc_dec_process_sod /home/spotless/jasper/jasper/src/libjasper/jpc/jpc_dec.c:594:6
#4 0x7fee9627e1e0 in jpc_dec_decode /home/spotless/jasper/jasper/src/libjasper/jpc/jpc_dec.c:391:12
#5 0x7fee9627e1e0 in jpc_decode /home/spotless/jasper/jasper/src/libjasper/jpc/jpc_dec.c:255
#6 0x7fee9624d6aa in jp2_decode /home/spotless/jasper/jasper/src/libjasper/jp2/jp2_dec.c:215:21
#7 0x7fee961dbe49 in jas_image_decode /home/spotless/jasper/jasper/src/libjasper/base/jas_image.c:396:18
#8 0x4dc375 in main /home/spotless/jasper/jasper/src/appl/imginfo.c:203:16
#9 0x7fee94f66a3f in __libc_start_main /build/buildd/glibc-2.21/csu/libc-start.c:289
#10 0x435728 in _start (/home/spotless/jasper/jasper/src/appl/.libs/lt-imginfo+0x435728)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/spotless/jasper/jasper/src/libjasper/jpc/jpc_t2cod.c:301 jpc_pi_nextrpcl
Shadow bytes around the buggy address:
0x0c047fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9c10: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==14266==ABORTING

Here is the base64 encoded test case:
AAAADGpQICANCocKAAAAFGZ0eXBqcDIgAAAAAGpwMiAAAAAtanAyaAAAABZpaGRyAAAAIAAAACAA
AwcHAAAAAAAPY29scgIAAAAAABAAAADYanAyY/9P/1EALwAAAAAAIAAAACAAAAAAAAAAAAAAACAA
AAAgAAAAAAAAABMAAwcBAwcB/vj+/v9SAAwAAgABAQsEBAAA/1wABEBA/1wAJQABQ3JlYXRlZCBi
eSBPcGVuSlBFRyB2ZXJzaW9uIDIuMS4w/5AACgAAAAAAYAAB/5Pc1wAYgA4hv/wu6rI3ztvzBVI/
Qy0r3ddkxD1n/3KrNSv4Q8qzX8rZJIW0WVyNJf134Mt4HYdg1vgobo9lRSXq/12/GnETEKne5N1r
Qfc43GZP/9k=

Fix C99 bool type

In Gentoo, we're currently applying a patch to fix the broken bool handling:
https://github.com/gentoo/gentoo/blob/master/media-libs/jasper/files/jasper-1.900.3-remove-stdbool-checks.patch

The issued caused is documented here:
https://bugs.gentoo.org/show_bug.cgi?id=513240

I suggest getting rid of all the test stuff and just asking for C99 support unconditionally. As a second solution, if you'd like to keep it the way it is, I think moving the #undef's just before the #include <stdbool.h> should also do the job.

signed integer overflow in jas_image.c

On 1.900.17:

/tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/base/jas_image.c:162:49: runtime error: signed integer overflow: 8543608947741818625 * 15 cannot be represented in type 'long'

Testcase: https://github.com/asarubbo/poc/blob/master/00020-jasper-signedintoverflow-jas_image_c

assert triggered by malformed mif in pnm_getsint

See attached file, found with afl.

Triggers an assert in imginfo:
imginfo: pnm_dec.c:397: int pnm_getsint(jas_stream_t *, int, int_fast32_t *): Assertion `(tmpval & (1 << (wordsize - 1))) == 0' failed.
assert-pnm_getsint.zip

abort on malformed MIF file

The attached file causes an abort in jasper, testable with imginfo.
It's mostly a truncated MIF file, only 6 bytes. Found with afl.

jasper-abort.zip

Assertion failure in jas_matrix_t (Unfixed #53)

On 1.900.15:

imginfo: /tmp/portage/media-libs/jasper-1.900.15/work/jasper-1.900.15/src/libjasper/base/jas_seq.c:90: jas_matrix_t *jas_seq2d_create(int, int, int, int): Assertion `xstart <= xend && ystart <= yend' failed.

Testcase: https://github.com/asarubbo/poc/blob/master/00016-jasper-assert-jas_matrix_t

NULL pointer dereference in bmp_getdata (bmp_dec.c)

Hello,
time ago I found multiple crashes on jasper. I didn't know where to post the bugs since the development seems dead, so I just informed the community on oss-security.
Now I discovered that the development is still active, here the details:

# imginfo $FILE
==15555==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f02a9c081ee bp 0x7ffd1e22e110 sp 0x7ffd1e22dde0 T0)
    #0 0x7f02a9c081ed in bmp_getdata /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:383:5
    #1 0x7f02a9c081ed in bmp_decode /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:190
    #2 0x7f02a9bd4a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16
    #3 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16
    #4 0x7f02a8cec61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #5 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:383:5 in bmp_getdata
==15555==ABORTING

Tested against the latest 1.900.3
Testcase:
10.crash.zip

assertion failure in jas_matrix_t ( unfixed #49 )

on 1.900.13:

imginfo: /tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/base/jas_seq.c:90: jas_matrix_t *jas_seq2d_create(int, int, int, int): Assertion `xstart <= xend && ystart <= yend' failed.

Testcase: https://github.com/asarubbo/poc/blob/master/00007-jasper-assert-jas_matrix_t

left shift in jas_math.h

On 1.900.17:

/tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/include/jasper/jas_math.h:156:11: runtime error: left shift of negative value -185

Testcase: https://github.com/asarubbo/poc/blob/master/00017-jasper-leftshift-jas_math_h

NULL pointer dereference in bmp_getdata (bmp_dec.c) (DIFFERENT FROM #21)

# imginfo $FILE
THE BMP FORMAT IS NOT FULLY SUPPORTED!
THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.
IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA                                                                                                  
TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.                                                                                                                
skipping unknown data in BMP file                                                                                                                                
ASAN:DEADLYSIGNAL                                                                                                                                                
=================================================================                                                                                                
==26929==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8fc7fd53b5 bp 0x7ffcdf755110 sp 0x7ffcdf754de0 T0)                              
    #0 0x7f8fc7fd53b4 in bmp_getdata /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:385:5                                                               
    #1 0x7f8fc7fd53b4 in bmp_decode /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:190                                                                  
    #2 0x7f8fc7fa1a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16                                                      
    #3 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16                                                                                    
    #4 0x7f8fc70b961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                          
    #5 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)                                                                          

AddressSanitizer can not provide additional info.                                                                                                                
SUMMARY: AddressSanitizer: SEGV /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:385:5 in bmp_getdata                                                     
==26929==ABORTING

Tested against the latest 1.900.3
Testcase:
9.crash.zip

Assertion failure in jpc_dequantize

On 1.900.13:

type = 0xff76 (UNKNOWN); len = 20;00 40 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 imginfo: /tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/jpc/jpc_dec.c:1817: void jpc_dequantize(jas_matrix_t *, jpc_fix_t): Assertion `absstepsize >= 0' failed.

Testcase: https://github.com/asarubbo/poc/blob/master/00010-jasper-assert-jpc_dequantize

jas_malloc.c uses C11 feature max_align_t

In Gentoo we require setting C11 support, otherwise compilers error out in jas_malloc.c due to the max_align_t typedef. I recommend either using gnulib + max_align_t, or just assuming the largest type is 16 or even 32 bytes in order to be able to use just C99 features.

https://bugs.gentoo.org/show_bug.cgi?id=598418

Assertion failure in JPC_NOMINALGAIN

On 1.900.13:

/tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/jpc/jpc_t1cod.c:144: int JPC_NOMINALGAIN(int, int, int, int): Assertion `qmfbid == 0x01' failed.

Testcase: https://github.com/asarubbo/poc/blob/master/00004-jasper-assert-JPC_NOMINALGAIN

divide-by-zero in jpc_dec_process_siz (jpc_dec.c)

# imginfo $FILE
warning: trailing garbage in marker segment (2 bytes)
ASAN:DEADLYSIGNAL
=================================================================
==31103==ERROR: AddressSanitizer: FPE on unknown address 0x7f5b9237e7df (pc 0x7f5b9237e7df bp 0x7fff3818a0c0 sp 0x7fff38189fa0 T0)
    #0 0x7f5b9237e7de in jpc_dec_process_siz /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1194:17
    #1 0x7f5b923842b2 in jpc_dec_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:390:10
    #2 0x7f5b923842b2 in jpc_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:254
    #3 0x7f5b92327a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16
    #4 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16
    #5 0x7f5b9143f61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1194:17 in jpc_dec_process_siz
==31103==ABORTING

Tested against the latest 1.900.3
Testcase:
11.crash.zip

double free on jpeg parsing

The attached file (when passed to imginfo) will cause a double free. Found with american fuzzy lop.
jasper-doublefree-mem_close.zip

Stack trace from asan:

==9522==ERROR: AddressSanitizer: attempting double-free on 0x619000003780 in thread T0:
    #0 0x4c0f00 in __interceptor_free (/r/jasper/imginfo+0x4c0f00)
    #1 0x51050d in mem_close /f/jasper/src/libjasper/base/jas_stream.c:1079:3
    #2 0x507757 in jas_stream_close /f/jasper/src/libjasper/base/jas_stream.c:466:2
    #3 0x4f47e8 in jas_image_cmpt_destroy /f/jasper/src/libjasper/base/jas_image.c:343:3
    #4 0x4f47e8 in jas_image_cmpt_create /f/jasper/src/libjasper/base/jas_image.c:333
    #5 0x4f93d8 in jas_image_addcmpt /f/jasper/src/libjasper/base/jas_image.c:677:18
    #6 0x5b4a42 in jpg_mkimage /f/jasper/src/libjasper/jpg/jpg_dec.c:247:7
    #7 0x5b4a42 in jpg_decode /f/jasper/src/libjasper/jpg/jpg_dec.c:171
    #8 0x4f6032 in jas_image_decode /f/jasper/src/libjasper/base/jas_image.c:372:16
    #9 0x4f23cf in main /f/jasper/src/appl/imginfo.c:188:16
    #10 0x7f8cf356978f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #11 0x4195d8 in _start (/r/jasper/imginfo+0x4195d8)

0x619000003780 is located 0 bytes inside of 1024-byte region [0x619000003780,0x619000003b80)
freed by thread T0 here:
    #0 0x4c1588 in realloc (/r/jasper/imginfo+0x4c1588)
    #1 0x501bc2 in jas_realloc2 /f/jasper/src/libjasper/base/jas_malloc.c:160:9

previously allocated by thread T0 here:
    #0 0x4c1208 in malloc (/r/jasper/imginfo+0x4c1208)
    #1 0x50715d in jas_stream_memopen /f/jasper/src/libjasper/base/jas_stream.c:215:15

SUMMARY: AddressSanitizer: double-free (/r/jasper/imginfo+0x4c0f00) in __interceptor_free
==9522==ABORTING

use-of-uninitialized-value in jpg_mkimage (jpg_dec.c)

If I'm not mistaken it happens by default on all jpg, no need crafted image. Attaching a testcase for completeness.

On 1.900.17:

==21965==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x7f6caf44d7b9 in jpg_mkimage /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpg/jpg_dec.c:259:2
    #1 0x7f6caf44d7b9 in jpg_decode /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpg/jpg_dec.c:183
    #2 0x7f6caf1db9d1 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/base/jas_image.c:396:16
    #3 0x55a670e6f831 in main /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/appl/imginfo.c:203:16
    #4 0x7f6cae2ee61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #5 0x55a670df0a28 in _init (/usr/bin/imginfo+0x1aa28)

  Uninitialized value was created by an allocation of 'cinfo' in the stack frame of function 'jpg_decode'
    #0 0x7f6caf44b0c0 in jpg_decode /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpg/jpg_dec.c:136

SUMMARY: MemorySanitizer: use-of-uninitialized-value /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpg/jpg_dec.c:259:2 in jpg_mkimage
Exiting

Testcase: https://github.com/asarubbo/poc/blob/master/00021-jasper-uninitvalue-jpg_mkimage

divide-by-zero in jpc_dec_process_siz (jpc_dec.c) (DIFFERENT FROM #22)

# imginfo $FILE
warning: trailing garbage in marker segment (5 bytes)
ASAN:DEADLYSIGNAL
=================================================================
==24077==ERROR: AddressSanitizer: FPE on unknown address 0x7f78c36f9822 (pc 0x7f78c36f9822 bp 0x7ffe2bff10c0 sp 0x7ffe2bff0fa0 T0)
    #0 0x7f78c36f9821 in jpc_dec_process_siz /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1196:18
    #1 0x7f78c36ff2b2 in jpc_dec_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:390:10
    #2 0x7f78c36ff2b2 in jpc_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:254
    #3 0x7f78c36a2a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16
    #4 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16
    #5 0x7f78c27ba61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1196:18 in jpc_dec_process_siz
==24077==ABORTING

Tested against the latest 1.900.3
Testcase:
12.crash.zip

Assertion failure in jpc_iict (another one)

On 1.900.13:

imginfo: /tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/jpc/jpc_mct.c:231: void jpc_iict(jas_matrix_t *, jas_matrix_t *, jas_matrix_t *): Assertion `((c1)->numrows_) == numrows && ((c2)->numrows_) == numrows' failed.

Testcase: https://github.com/asarubbo/poc/blob/master/00009-jasper-assert-jpc_iict

mutiple implicit declaration of function

After the compilation, I get these warnings:

 * /tmp/portage/media-libs/jasper-1.900.9/work/jasper-1.900.9/src/libjasper/base/jas_getopt.c:129:7: warning: implicit declaration of function 'jas_eprintf' is invalid in C99 [-Wimplicit-function-declaration]
 * /tmp/portage/media-libs/jasper-1.900.9/work/jasper-1.900.9/src/libjasper/jpc/jpc_tsfb.c:124:31: warning: implicit declaration of function 'jpc_tsfb_analyze2' is invalid in C99 [-Wimplicit-function-declaration]
 * /tmp/portage/media-libs/jasper-1.900.9/work/jasper-1.900.9/src/libjasper/jpc/jpc_tsfb.c:152:4: warning: implicit declaration of function 'jpc_tsfb_synthesize2' is invalid in C99 [-Wimplicit-function-declaration]
 * :243:6: warning: implicit declaration of function 'jas_eprintf' is invalid in C99 [-Wimplicit-function-declaration]
 * /tmp/portage/media-libs/jasper-1.900.9/work/jasper-1.900.9/src/libjasper/mif/mif_cod.c:282:3: warning: implicit declaration of function 'jas_eprintf' is invalid in C99 [-Wimplicit-function-declaration]
 * /tmp/portage/media-libs/jasper-1.900.9/work/jasper-1.900.9/src/libjasper/pnm/pnm_dec.c:121:3: warning: implicit declaration of function 'jas_eprintf' is invalid in C99 [-Wimplicit-function-declaration]

I need to investigate why at :243:6: there is no printed file....

Assertion failure in jpc_pi_nextrpcl

On 1.900.13:

type = 0xff41 (UNKNOWN); len = 20;02 40 40 00 00 00 00 ee ff 00 00 00 00 24 00 00 00 00 imginfo: /tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/jpc/jpc_t2cod.c:297: int jpc_pi_nextrpcl(jpc_pi_t *): Assertion `pi->prcno < pi->pirlvl->numprcs' failed.

Testcase: https://github.com/asarubbo/poc/blob/master/00013-jasper-assert-jpc_pi_nextrpcl

left shift in jpc_dec.c

On 1.900.17:

/tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1819:40: runtime error: shift exponent 117 is too large for 64-bit type 'jpc_fix_t' (aka 'long')

Testcase: https://github.com/asarubbo/poc/blob/master/00019-jasper-leftshift-jpc_dec_c

Assertion failure in jpc_irct

On 1.900.13:

imginfo: /tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/jpc/jpc_mct.c:146: void jpc_irct(jas_matrix_t *, jas_matrix_t *, jas_matrix_t *): Assertion `((c1)->numrows_) == numrows && ((c1)->numcols_) == numcols && ((c2)->numrows_) == numrows && ((c2)->numcols_) == numcols' failed.

Testcase: https://github.com/asarubbo/poc/blob/master/00006-jasper-assert-jpc_irct

assert in jpc_dec_tiledecode()

The attached file causes an assert in the function jpc_dec_tiledecode. Found with american fuzzy lop.
jasper-assert-jpc_dec_tiledecode.zip

Error message:
imginfo: jpc_dec.c:1072: int jpc_dec_tiledecode(jpc_dec_t *, jpc_dec_tile_t *): Assertion `dec->numcomps >= 3' failed.

segfault / null pointer access in jpc_pi_destroy

The attached file will crash jasper (can be tested with imginfo) with a null pointer access. It was found with american fuzzy lop.
jasper-nullptr-jpc_pi_destroy.zip

Stack trace from address sanitizer:

==22340==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000059f33f bp 0x611000009fc8 sp 0x7fffa1dea040 T0)
    #0 0x59f33e in jpc_pi_destroy /f/jasper/src/libjasper/jpc/jpc_t2cod.c:521:10
    #1 0x54f43f in jpc_dec_tilefini /f/jasper/src/libjasper/jpc/jpc_dec.c:999:3
    #2 0x5403bd in jpc_dec_process_eoc /f/jasper/src/libjasper/jpc/jpc_dec.c:1151:3
    #3 0x547fb4 in jpc_dec_decode /f/jasper/src/libjasper/jpc/jpc_dec.c:390:10
    #4 0x547fb4 in jpc_decode /f/jasper/src/libjasper/jpc/jpc_dec.c:254
    #5 0x4f6032 in jas_image_decode /f/jasper/src/libjasper/base/jas_image.c:372:16
    #6 0x4f23cf in main /f/jasper/src/appl/imginfo.c:188:16
    #7 0x7f2ac820478f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #8 0x4195d8 in _start (/r/jasper/imginfo+0x4195d8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /f/jasper/src/libjasper/jpc/jpc_t2cod.c:521:10 in jpc_pi_destroy
==22340==ABORTING

Assertion failure in calcstepsizes

On 1.900.13:

imginfo: /tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/jpc/jpc_dec.c:1637: void calcstepsizes(uint_fast16_t, int, uint_fast16_t *): Assertion `!((expn + (numrlvls - 1) - (numrlvls - 1 - ((bandno > 0) ? ((bandno + 2) / 3) : (0)))) & (~0x1f))' failed.

Testcase: https://github.com/asarubbo/poc/blob/master/00012-jasper-assert-calcstepsizes

heap-based buffer overflow in jpc_dec_tiledecode (jpc_dec.c)

Tested on 1.900.10

warning: not enough tile data (9 bytes)                                                                                                                                                        
=================================================================                                                                                                                              
==15870==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f0c6a964770 at pc 0x7f0c729e93a4 bp 0x7ffd08758cf0 sp 0x7ffd08758ce8                                                      
READ of size 8 at 0x7f0c6a964770 thread T0                                                                                                                                                     
    #0 0x7f0c729e93a3 in jpc_dec_tiledecode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:1126:43                                                   
    #1 0x7f0c729d9567 in jpc_dec_process_eoc /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:1170:8                                                   
    #2 0x7f0c729e20c4 in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:390:10                                                        
    #3 0x7f0c729e20c4 in jpc_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:254                                                               
    #4 0x7f0c729afc41 in jp2_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_dec.c:215:21                                                            
    #5 0x7f0c7293fa29 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_image.c:392:16                                                   
    #6 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/appl/imginfo.c:188:16                                                                                 
    #7 0x7f0c71a4c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                        
    #8 0x418e68 in _init (/usr/bin/imginfo+0x418e68)                                                                                                                                           

0x7f0c6a964770 is located 0 bytes to the right of 64749424-byte region [0x7f0c66ba4800,0x7f0c6a964770)                                                                                         
allocated by thread T0 here:                                                                                                                                                                   
    #0 0x4c03b8 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52                                                   
    #1 0x7f0c7297efbe in jas_malloc /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_malloc.c:105:11                                                        
    #2 0x7f0c7297efbe in jas_alloc2 /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_malloc.c:136                                                           
    #3 0x7f0c7297fb44 in jas_matrix_create /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_seq.c:129:25                                                    
    #4 0x7f0c7297f71b in jas_seq2d_create /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_seq.c:90:17                                                      
    #5 0x7f0c729d4280 in jpc_dec_tileinit /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:702:23                                                      
    #6 0x7f0c729d4280 in jpc_dec_process_sod /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:559                                                      
    #7 0x7f0c729e20c4 in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:390:10                                                        
    #8 0x7f0c729e20c4 in jpc_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:254                                                               
    #9 0x7f0c729afc41 in jp2_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_dec.c:215:21                                                            
    #10 0x7f0c7293fa29 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_image.c:392:16                                                  
    #11 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/appl/imginfo.c:188:16
    #12 0x7f0c71a4c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:1126:43 in jpc_dec_tiledecode
Shadow bytes around the buggy address:
  0x0fe20d524890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe20d5248a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe20d5248b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe20d5248c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe20d5248d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe20d5248e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa
  0x0fe20d5248f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe20d524900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe20d524910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe20d524920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe20d524930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15870==ABORTING

Testcase:
642.crashes.zip

Issue a release

Hello!

I see @hughsie has put in a bunch of fixes here. There are a few more I've seen:

Some of these patches: https://bugs.archlinux.org/task/48511

and I didn't find the patch for https://access.redhat.com/security/cve/CVE-2015-5203 yet

Have you considered making a release to contain all these fixes? Can I help somehow?

Thank you!

Graham

Please include old security fixes

Hello,

at gentoo we add the following patches that the maintainer found on the other distro:

https://dev.gentoo.org/~soap/distfiles/jasper-1.900.3_p20161014-patches.tar.bz2

Could you check and include what for you is suitable to go into upstream? thanks

NULL pointer dereference in bmp_getdata (bmp_dec.c) (INCOMPLETE FIX FOR #21)

On 1.900.5 I still get the failure reported in #21

Stacktrace:

# imginfo -f $FILE
THE BMP FORMAT IS NOT FULLY SUPPORTED!                                                                                                                                                                                                                                         
THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.                                                                                                                                                                                                              
IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA                                                                                                                                                                                                                
TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.                                                                                                                                                                                                                              
skipping unknown data in BMP file                                                                                                                                                                                                                                              
ASAN:DEADLYSIGNAL                                                                                                                                                                                                                                                              
=================================================================                                                                                                                                                                                                              
==19659==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f90527a18fe bp 0x7ffcfacc8070 sp 0x7ffcfacc7ee0 T0)
    #0 0x7f90527a18fd in bmp_getdata /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:394:5
    #1 0x7f90527a18fd in bmp_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:201
    #2 0x7f9052748f39 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_image.c:380:16
    #3 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/appl/imginfo.c:188:16
    #4 0x7f905185761f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #5 0x418e68 in _init (/usr/bin/imginfo+0x418e68)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:394:5 in bmp_getdata
==19659==ABORTING

Testcase:
5.crashes.zip

signed integer overflow in jpc_tsfb.c

On 1.900.17:

/tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_tsfb.c:233:35: runtime error: signed integer overflow: 2013306369 + 251691968 cannot be represented in type 'int'

Testcase: https://github.com/asarubbo/poc/blob/master/00022-jasper-signedintoverflow-jpc_tsfb_c

Heap overflow in jpc_dec_cp_setfromcox()

The attached malformed jpeg2000 file triggers a one byte heap overflow in jasper. It was found with american fuzzy lop.
jasper-heapoverflow-jpc_dec_cp_setfromcox.zip

Here's a stack trace from address sanitizer:

==28545==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x618000010000 at pc 0x000000542b0f bp 0x7ffd396e7890 sp 0x7ffd396e7888
WRITE of size 1 at 0x618000010000 thread T0
    #0 0x542b0e in jpc_dec_cp_setfromcox /f/jasper/src/libjasper/jpc/jpc_dec.c:1668:32
    #1 0x542b0e in jpc_dec_cp_setfromcod /f/jasper/src/libjasper/jpc/jpc_dec.c:1636
    #2 0x542b0e in jpc_dec_process_cod /f/jasper/src/libjasper/jpc/jpc_dec.c:1263
    #3 0x547fb4 in jpc_dec_decode /f/jasper/src/libjasper/jpc/jpc_dec.c:390:10
    #4 0x547fb4 in jpc_decode /f/jasper/src/libjasper/jpc/jpc_dec.c:254
    #5 0x4f6032 in jas_image_decode /f/jasper/src/libjasper/base/jas_image.c:372:16
    #6 0x4f23cf in main /f/jasper/src/appl/imginfo.c:188:16
    #7 0x7fea0e13378f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #8 0x4195d8 in _start (/r/jasper/imginfo+0x4195d8)

0x618000010000 is located 0 bytes to the right of 896-byte region [0x61800000fc80,0x618000010000)
allocated by thread T0 here:
    #0 0x4c1208 in malloc (/r/jasper/imginfo+0x4c1208)
    #1 0x501a1f in jas_malloc /f/jasper/src/libjasper/base/jas_malloc.c:117:9
    #2 0x501a1f in jas_alloc2 /f/jasper/src/libjasper/base/jas_malloc.c:141

SUMMARY: AddressSanitizer: heap-buffer-overflow /f/jasper/src/libjasper/jpc/jpc_dec.c:1668:32 in jpc_dec_cp_setfromcox
Shadow bytes around the buggy address:
  0x0c307fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff9fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff9ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c307fffa000:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28545==ABORTING

segfault / null pointer access with malformed mif

imginfo crashes by a simple MIF file only containing the two lines MIF and end.
Test:

echo -e "MIF\nend"|imginfo

jasper-segfault-nullpointer.zip

signed integer overflow in jpc_dec.c

On 1.900.17:

/tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1838:9: runtime error: signed integer overflow: -64356352 * 6359082673847140352 cannot be represented in type 'long'

Testcase: https://github.com/asarubbo/poc/blob/master/00018-jasper-signedintoverflow-jpc_dec_c

NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (UNFIXED #34)

#34 is still unfixed to me. Tested on 1.900.10

# imginfo -f $FILE
ASAN:DEADLYSIGNAL
=================================================================
==20885==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000041defd bp 0xbebebebebebebebe sp 0x7ffc4e4a4550 T0)
    #0 0x41defc in atomic_compare_exchange_strong<__sanitizer::atomic_uint8_t> /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81
    #1 0x41defc in __asan::Allocator::AtomicallySetQuarantineFlag(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:465
    #2 0x41defc in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:525
    #3 0x41defc in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:709
    #4 0x4c008c in free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:41
    #5 0x7faeeeb2d430 in jp2_colr_destroy /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_cod.c:450:3
    #6 0x7faeeeb32b0e in jp2_box_destroy /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_cod.c:211:3
    #7 0x7faeeeb32b0e in jp2_box_get /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_cod.c:314
    #8 0x7faeeeb369a0 in jp2_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_dec.c:156:16
    #9 0x7faeeeac6a29 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_image.c:392:16
    #10 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/appl/imginfo.c:188:16
    #11 0x7faeedbd361f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #12 0x418e68 in _init (/usr/bin/imginfo+0x418e68)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 in atomic_compare_exchange_strong<__sanitizer::atomic_uint8_t>
==20885==ABORTING

Testcase:
681.crashes.zip

NULL pointer dereference in jpc_tsfb_synthesize (jpc_tsfb.c)

There is a null pointer dereference in jpc_tsfb_synthesize.

Stacktrace:

# imginfo -f $FILE
warning: trailing garbage in marker segment (14 bytes)
warning: not enough tile data (15 bytes)
warning: bad segmentation symbol
warning: bad segmentation symbol
ASAN:DEADLYSIGNAL
=================================================================
==7144==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6d3c37d0b0 bp 0x7ffdc7407a90 sp 0x7ffdc7407a30 T0)
    #0 0x7f6d3c37d0af in jpc_tsfb_synthesize /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_tsfb.c:152:4
    #1 0x7f6d3c2f5140 in jpc_dec_tiledecode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_dec.c:1068:3
    #2 0x7f6d3c2e5c40 in jpc_dec_process_sod /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_dec.c:623:7
    #3 0x7f6d3c2ef294 in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_dec.c:390:10
    #4 0x7f6d3c2ef294 in jpc_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_dec.c:254
    #5 0x7f6d3c2bd061 in jp2_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_dec.c:215:21
    #6 0x7f6d3c24df39 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_image.c:380:16
    #7 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/appl/imginfo.c:188:16
    #8 0x7f6d3b35c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                        
    #9 0x418e68 in _init (/usr/bin/imginfo+0x418e68)                                                                                                                                                                                                                           

AddressSanitizer can not provide additional info.                                                                                                                                                                                                                              
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_tsfb.c:152:4 in jpc_tsfb_synthesize                                                                                                                           
==7144==ABORTING

Testcase:
132.crashes.zip

Compilation failure while enabling --enable-memory-limit

On 1.900.14 I get:

/tmp/portage/media-libs/jasper-1.900.14/work/jasper-1.900.14/src/libjasper/base/jas_malloc.c:95:29: error: use of undeclared identifier 'yes'
static size_t jas_max_mem = JAS_DEFAULT_MAX_MEM_USAGE;
                            ^
../../../src/libjasper/include/jasper/jas_config.h:98:35: note: expanded from macro 'JAS_DEFAULT_MAX_MEM_USAGE'
#define JAS_DEFAULT_MAX_MEM_USAGE yes
                                  ^
4 warnings and 1 error generated.
Makefile:481: recipe for target 'jas_malloc.lo' failed
make[3]: *** [jas_malloc.lo] Error 1
make[3]: Leaving directory '/tmp/portage/media-libs/jasper-1.900.14/work/jasper-1.900.14-abi_x86_64.amd64/src/libjasper/base'
Makefile:593: recipe for target 'all-recursive' failed
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory '/tmp/portage/media-libs/jasper-1.900.14/work/jasper-1.900.14-abi_x86_64.amd64/src/libjasper'
Makefile:431: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/tmp/portage/media-libs/jasper-1.900.14/work/jasper-1.900.14-abi_x86_64.amd64/src'
Makefile:473: recipe for target 'all-recursive' failed
make: *** [all-recursive] Error 1

Fix build system for VPATH builds

Hi @mdadams
We recently got build failures in Gentoo, as we build jasper multilib aware, meaning using -m32 for 32-bit libs and -m64 for 64-bit libs. Unfortunately, the jas_config.h which is created in a separate build dir is never honoured. This in effect means that the build will only ever work when compiling in the source-tree. I've prepared a patch to always include the build tree before the source tree:
https://github.com/gentoo/gentoo/blob/master/media-libs/jasper/files/jasper-1.900.6-fix-build-system.patch

The issue is documented here:
https://bugs.gentoo.org/show_bug.cgi?id=597208

Heap overflow in jpc_getuint16()

The attached file will cause a heap overflow in the function jpc_getunit16. It was found with american fuzzy lop.
jasper-heapoverflow-jpc_getuint16.zip

Here's a stack trace from address sanitizer:

==29479==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ecd8 at pc 0x0000005259c4 bp 0x7fffa3b06560 sp 0x7fffa3b06558
WRITE of size 8 at 0x60200000ecd8 thread T0
    #0 0x5259c3 in jpc_getuint16 /f/jasper/src/libjasper/jpc/jpc_cs.c:1572:8
    #1 0x53538d in jpc_crg_getparms /f/jasper/src/libjasper/jpc/jpc_cs.c:1365:5
    #2 0x524f00 in jpc_getms /f/jasper/src/libjasper/jpc/jpc_cs.c:280:7
    #3 0x548052 in jpc_dec_decode /f/jasper/src/libjasper/jpc/jpc_dec.c:372:14
    #4 0x548052 in jpc_decode /f/jasper/src/libjasper/jpc/jpc_dec.c:254
    #5 0x4f6032 in jas_image_decode /f/jasper/src/libjasper/base/jas_image.c:372:16
    #6 0x4f23cf in main /f/jasper/src/appl/imginfo.c:188:16
    #7 0x7fc62b7ba78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #8 0x4195d8 in _start (/r/jasper/imginfo+0x4195d8)

0x60200000ecd8 is located 0 bytes to the right of 8-byte region [0x60200000ecd0,0x60200000ecd8)
allocated by thread T0 here:
    #0 0x4c1208 in malloc (/r/jasper/imginfo+0x4c1208)
    #1 0x501a1f in jas_malloc /f/jasper/src/libjasper/base/jas_malloc.c:117:9
    #2 0x501a1f in jas_alloc2 /f/jasper/src/libjasper/base/jas_malloc.c:141

SUMMARY: AddressSanitizer: heap-buffer-overflow /f/jasper/src/libjasper/jpc/jpc_cs.c:1572:8 in jpc_getuint16
Shadow bytes around the buggy address:
  0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa 00[fa]fa fa 01 fa
  0x0c047fff9da0: fa fa 00 00 fa fa fd fa fa fa 00 fa fa fa fd fa
  0x0c047fff9db0: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff9dc0: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff9dd0: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff9de0: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29479==ABORTING

double-free in mem_close (jas_stream.c)

# imginfo $FILE
Corrupt JPEG data: 1 extraneous bytes before marker 0xc4                                                                                                                                                                                                                       
=================================================================                                                                                                                                                                                                              
==9405==ERROR: AddressSanitizer: attempting double-free on 0x619000003780 in thread T0:                                                                                                                                                                                        
    #0 0x4bfe10 in __interceptor_free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38                                                                                                                       
    #1 0x7fe9caf2e160 in mem_close /tmp/jasper-version-1.900.3/src/libjasper/base/jas_stream.c:1079:3                                                                                                                                                                          
    #2 0x7fe9caf28cdb in jas_stream_close /tmp/jasper-version-1.900.3/src/libjasper/base/jas_stream.c:466:2                                                                                                                                                                    
    #3 0x7fe9caefc981 in jas_image_cmpt_destroy /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:343:3                                                                                                                                                               
    #4 0x7fe9caefc981 in jas_image_cmpt_create /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:333                                                                                                                                                                  
    #5 0x7fe9caeff787 in jas_image_addcmpt /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:677:18                                                                                                                                                                   
    #6 0x7fe9cafc49ac in jpg_mkimage /tmp/jasper-version-1.900.3/src/libjasper/jpg/jpg_dec.c:247:7                                                                                                                                                                             
    #7 0x7fe9cafc49ac in jpg_decode /tmp/jasper-version-1.900.3/src/libjasper/jpg/jpg_dec.c:171                                                                                                                                                                                
    #8 0x7fe9caefda9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16                                                                                                                                                                    
    #9 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16                                                                                                                                                                                                  
    #10 0x7fe9ca01561f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                       
    #11 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)                                                                                                                                                                                       

0x619000003780 is located 0 bytes inside of 1024-byte region [0x619000003780,0x619000003b80)                                                                                                                                                                                   
freed by thread T0 here:                                                                                                                                                                                                                                                       
    #0 0x4c0498 in realloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:71                                                                                                                                  
    #1 0x7fe9caf2dd53 in mem_resize /tmp/jasper-version-1.900.3/src/libjasper/base/jas_stream.c:995:14                                                                                                                                                                         
    #2 0x7fe9caf2dd53 in mem_write /tmp/jasper-version-1.900.3/src/libjasper/base/jas_stream.c:1018                                                                                                                                                                            
    #3 0x7fe9caf2b0b3 in jas_stream_flushbuf /tmp/jasper-version-1.900.3/src/libjasper/base/jas_stream.c:819:7                                                                                                                                                                 
    #4 0x7fe9caf2cb14 in jas_stream_flush /tmp/jasper-version-1.900.3/src/libjasper/base/jas_stream.c:749:9                                                                                                                                                                    
    #5 0x7fe9caf2cb14 in jas_stream_seek /tmp/jasper-version-1.900.3/src/libjasper/base/jas_stream.c:656                                                                                                                                                                       
    #6 0x7fe9caefc95a in jas_image_cmpt_create /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:332:4                                                                                                                                                                
    #7 0x7fe9caeff787 in jas_image_addcmpt /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:677:18                                                                                                                                                                   
    #8 0x7fe9cafc49ac in jpg_mkimage /tmp/jasper-version-1.900.3/src/libjasper/jpg/jpg_dec.c:247:7                                                                                                                                                                             
    #9 0x7fe9cafc49ac in jpg_decode /tmp/jasper-version-1.900.3/src/libjasper/jpg/jpg_dec.c:171                                                                                                                                                                                
    #10 0x7fe9caefda9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16                                                                                                                                                                   
    #11 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16                                                                                                                                                                                                 
    #12 0x7fe9ca01561f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                       

previously allocated by thread T0 here:                                                                                                                                                                                                                                        
    #0 0x4c0118 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52                                                                                                                                   
    #1 0x7fe9caf2885e in jas_stream_memopen /tmp/jasper-version-1.900.3/src/libjasper/base/jas_stream.c:215:15                                                                                                                                                                 
    #2 0x7fe9caefc78e in jas_image_cmpt_create /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:322:28                                                                                                                                                               
    #3 0x7fe9caeff787 in jas_image_addcmpt /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:677:18                                                                                                                                                                   
    #4 0x7fe9cafc49ac in jpg_mkimage /tmp/jasper-version-1.900.3/src/libjasper/jpg/jpg_dec.c:247:7                                                                                                                                                                             
    #5 0x7fe9cafc49ac in jpg_decode /tmp/jasper-version-1.900.3/src/libjasper/jpg/jpg_dec.c:171                                                                                                                                                                                
    #6 0x7fe9caefda9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16                                                                                                                                                                    
    #7 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16                                                                                                                                                                                                  
    #8 0x7fe9ca01561f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                        

SUMMARY: AddressSanitizer: double-free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38 in __interceptor_free
==9405==ABORTING

Tested against the latest 1.900.3
Testcase:
1.crash.zip

Assertion failure in jpc_floorlog2

On 1.900.17:

imginfo: /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_math.c:94: int jpc_floorlog2(int): Assertion `x > 0' failed.

Testcase: https://github.com/asarubbo/poc/blob/master/00023-jasper-assert-jpc_floorlog2

Definitions in jasper/jas_types.h conflict with libc headers

jasper/jas_types.h contains definitions like:

#if !defined(uchar)
#define uchar unsigned char
#endif

So, uchar is defined as a macro, while most c libraries define uchar as a type.

Notice that the guard #if !defined(uchar) cannot detect whether uchar has already been defined as a type. So the macro in <jasper/jas_types.h> will override the libc definition.

On the other hand, if <sys/types.h> is included after <jasper/jasper_types.h> (but not before, even not indirectly), the macro definition will mangle libc's

typedef unsigned char uchar;

leading to a compilation error.

It seems that one way to fix this would be to replace the macro definitions by type definitions. I am not aware of any libc using macros to define uchar and friends, but if such exists, the existing #ifs could detect that. Note that It is allowed to typedef a type multiple times as long as the definitions agree.

abort on malformed mif

This is actually a different issue from #43. Still present in the current git code.
jasper-abort-new.zip

The attached file causes an abort.

assertion failure in jas_matrix_t

# imginfo $FILE
imginfo: /tmp/portage/media-libs/jasper-1.900.12/work/jasper-1.900.12/src/libjasper/base/jas_seq.c:90: jas_matrix<= yend' failed.

Tested on 1.900.12

Testcase:
https://github.com/asarubbo/poc/blob/master/00003-jasper-assert-jas_matrix_t

--enable-debug should not enable sanitizers

Usually --enable-debug stays for the debug assert.

Would be better have a different way to enable the sanitizers. See the libav way to enable them.
e.g:
./configure --toolchain={asan-gcc,ubsan-gcc,msan-gcc,asan-clang} and so on.

jasper-software / jasper Goto Github PK

jasper's Introduction

JasPer Image Processing/Coding Tool Kit

jasper's People

Contributors

Stargazers

Watchers

Forkers

jasper's Issues

The ASAN report is as follows:

Recommend Projects

Recommend Topics

Recommend Org