Soumettre #622408: JasPer The newest master && jasper-4.2.5 Null Pointer Dereferenceinformation

TitreJasPer The newest master && jasper-4.2.5 Null Pointer Dereference
Description## Summary A critical null pointer dereference vulnerability exists in JasPer's image color space conversion function `jas_image_chclrspc`. When processing malformed image files with specific command-line options, the function receives a null image pointer and attempts to dereference it, causing immediate segmentation fault. ## Vulnerability Details **Program**: jasper (JasPer Image Processing Library) **Crash Type**: SIGSEGV (Signal 11) **Version**:The newest master && jasper-4.2.5 **Root Cause**: Null pointer dereference in jas_image_chclrspc function **Trigger**: Malformed image file processing with BMP output format and color space conversion ## Technical Analysis ### AddressSanitizer Report ``` warning: skipping unknown tag type warning: skipping unknown tag type warning: skipping unknown tag type warning: skipping unknown tag type warning: skipping unknown tag type warning: skipping unknown tag type AddressSanitizer:DEADLYSIGNAL ================================================================= ==2963290==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x556544a89b61 bp 0x7ffe7981a4b0 sp 0x7ffe7981a300 T0) ==2963290==The signal is caused by a READ memory access. ==2963290==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used. #0 0x556544a89b61 in jas_image_chclrspc /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_image.c:1707:24 #1 0x556544a49e47 in main /workspace/benchmark/program/jasper-4.2.5/src/app/jasper.c:352:20 #2 0x7faf47643d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #3 0x7faf47643e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #4 0x55654496d0b4 in _start (/workspace/benchmark/fuzzdir/fz-jasper/fz-jasper/jasper+0x8f0b4) (BuildId: 3db493b2468a620b) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_image.c:1707:24 in jas_image_chclrspc ==2963290==ABORTING ``` ### GDB Stack Trace Reference ```gdb Program received signal SIGSEGV, Segmentation fault. 0x00005555556ffb61 in jas_image_chclrspc (image=0x0, outprof=<optimized out>, intent=<optimized out>) at /src/libjasper/base/jas_image.c:1707 1707 incmptfmts[i].prec = jas_image_cmptprec(inimage, j); #0 0x00005555556ffb61 in jas_image_chclrspc (image=0x0, outprof=<optimized out>, intent=<optimized out>) at /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_image.c:1707 #1 0x00005555556bfe48 in main (argc=<optimized out>, argv=<optimized out>) at /workspace/benchmark/program/jasper-4.2.5/src/app/jasper.c:352 ``` ### Vulnerability Mechanism **Critical Issue**: `image=0x0` (NULL pointer) **Location**: `/src/libjasper/base/jas_image.c:1707` **Root Cause Analysis**: 1. **Image Loading Failure**: Malformed input file causes image loading to fail, returning NULL 2. **Missing Validation**: The main function doesn't validate the image pointer before passing it to color space conversion 3. **Null Pointer Access**: `jas_image_chclrspc()` function attempts to access `image` fields without null check 4. **Dereference Crash**: Access to `jas_image_cmptprec(inimage, j)` where `inimage` is NULL triggers SIGSEGV ### Vulnerable Code Context ```c // In jas_image.c:1707 incmptfmts[i].prec = jas_image_cmptprec(inimage, j); // inimage is NULL ``` The vulnerability occurs when: - Input file contains malformed image data that fails to load properly - Image loading functions return NULL to indicate failure - Main function passes NULL image pointer to `jas_image_chclrspc()` without validation - Color space conversion function tries to access image properties through null pointer ## Reproduction Steps ### Command Line Test ```bash # Execute vulnerable command with POC file ./jasper --output-format bmp --cmptno ppm -S --input POC_jasper_null_pointer_dereference ``` ### Expected Behavior The command will: 1. Attempt to load malformed image file 2. Image loading fails and returns NULL 3. Main function passes NULL pointer to color space conversion 4. `jas_image_chclrspc()` tries to dereference null pointer 5. Crash with SIGSEGV at jas_image.c:1707 ## Distinction from Assertion Failure Vulnerability This vulnerability is **distinct** from the SIGABRT assertion failure (another report): ### Key Differences: | Aspect | Assertion Failure (My other report) | Null Dereference (This Report) | |--------|------------------------------------|---------------------------------| | **Signal** | SIGABRT (6) | SIGSEGV (11) | | **Location** | `jpc_math.c:89` | `jas_image.c:1707` | | **Function** | `jpc_floorlog2` | `jas_image_chclrspc` | | **Root Cause** | Invalid parameter (x=0) to math function | Null pointer passed to image function | | **Trigger Options** | `--output-format jp2 -O cblkwidth=` | `--output-format bmp --cmptno ppm -S` | ## Proof of Concept **POC File**: [`POC_jasper_null_pointer_dereference`](https://drive.google.com/file/d/1E754R-FsFkNJp9OYtu6Dqjv47uGSVP18/view?usp=sharing) ## Credit Xudong Cao (UCAS) Yuqing Zhang (UCAS, Zhongguancun Laboratory)
La source⚠️ https://github.com/jasper-software/jasper/issues/400
Utilisateur
 nipc-cxd (UID 88335)
Soumission25/07/2025 14:25 (il y a 9 mois)
Modérer10/08/2025 13:14 (16 days later)
StatutAccepté
Entrée VulDB319369 [JasPer jusqu’à 4.2.5 Image Color Space Conversion jas_image.c jas_image_chclrspc déni de service]
Points20

PrécédentAperçuSuivant

Interested in the pricing of exploits?

See the underground prices here!