jasper
jasper copied to clipboard
jasper-software
Security: size_t overflow in jas_stream_peek
Hi, I am writing to report a size_t overflow that I discovered in this project.
- Vulnerability Summary:
/root/build/jasper-4.2.8/src/libjasper/base/jas_stream.c:713:22: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'size_t' (aka 'unsigned long')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /root/build/jasper-4.2.8/src/libjasper/base/jas_stream.c:713:22 in
-
Affected Version The latest release version 4.2.8.
-
Reproduce
- Command line:
jasper "--input" "A" "--output" "B" "--input-format" "pg" "--output-format" "jpc" "" ""
- Compile the executable binary with "--fsanitizer=undefined" flag.
- Corrupted input data
A(unzip A.zip first):
Best regards,
@xmoezzz: I cannot reproduce this problem with the latest commit of JasPer on the master branch. When I run the jasper program (built with ASan and UBSan enabled) with the command line that you specified, I get the following output:
warning: ignoring bogus command line argument
warning: ignoring bogus command line argument
invalid PGX signature
cannot get header
jas_image_decode: decode operation failed
error: cannot load image data
Did you try the latest commit on the master branch?
Thanks for your reply! I tried the latest commit of the master branch (7576bf0).
This is my build command:
CC=clang CXX=clang++ \
cmake -DCMAKE_BUILD_TYPE=Debug \
-DCMAKE_C_FLAGS="-fsanitize=address -fno-omit-frame-pointer -fsanitize=signed-integer-overflow -fsanitize=unsigned-integer-overflow -fsanitize=shift -fsanitize=bounds -fsanitize=null -fsanitize=pointer-overflow -g -O1" \
-DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address,undefined" \
-DCMAKE_SHARED_LINKER_FLAGS="-fsanitize=address,undefined" \
../jasper