Soumettre #622409: JasPer The newest master && jasper-4.2.5 Assertion Failureinformation

TitreJasPer The newest master && jasper-4.2.5 Assertion Failure
Description## Summary A critical assertion failure vulnerability exists in JasPer's JPEG2000 codec when processing malformed image files. The vulnerability occurs in the `jpc_floorlog2` function when it receives invalid input parameters, causing the assertion `x > 0` to fail and resulting in program termination. ## Vulnerability Details **Program**: jasper (JasPer Image Processing Library) **Crash Type**: SIGABRT (Signal 6) **Version**: The newest master && jasper-4.2.5 **Root Cause**: Assertion failure in jpc_floorlog2 function **Trigger**: Malformed JPEG2000 image processing with invalid cblkwidth parameter ## Technical Analysis ### Actual Crash Output ``` jasper: /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_math.c:89: unsigned int jpc_floorlog2(uint_fast32_t): Assertion `x > 0' failed. Aborted ``` ### GDB Stack Trace Reference ```gdb jasper: jpc_math.c:89: unsigned int jpc_floorlog2(uint_fast32_t): Assertion `x > 0' failed. Program received signal SIGABRT, Aborted. #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737350377664) #1 __pthread_kill_internal (signo=6, threadid=140737350377664) #2 __GI___pthread_kill (threadid=140737350377664, signo=signo@entry=6) #3 0x00007ffff7cad476 in __GI_raise (sig=sig@entry=6) #4 0x00007ffff7c937f3 in __GI_abort () #5 0x00007ffff7c9371b in __assert_fail_base #6 0x00007ffff7ca4e96 in __GI___assert_fail (assertion=0x5555555b35a0 "x > 0", file=0x5555555b35c0 "jpc_math.c", line=89, function=0x5555555b3640 "jpc_floorlog2") #7 0x0000555555784d94 in cp_create (optstr=<optimized out>, image=0x608000000140) #8 jpc_encode (image=<optimized out>, out=<optimized out>, optstr=<optimized out>) #9 0x000055555573b6eb in jp2_encode (image=0x608000000140, out=<optimized out>, optstr=<optimized out>) #10 0x00005555556c024f in main (argc=<optimized out>, argv=<optimized out>) ``` ### Vulnerability Mechanism **Failed Assertion**: `assert(x > 0)` in `jpc_floorlog2(uint_fast32_t x)` **Location**: `/src/libjasper/jpc/jpc_math.c:89` **Root Cause Analysis**: 1. **Parameter Processing**: JasPer processes the `-O cblkwidth=` option with empty or invalid value 2. **Invalid Value Propagation**: The empty/malformed parameter value gets converted to 0 3. **Math Function Failure**: `jpc_floorlog2()` function is called with x=0, violating its precondition 4. **Assertion Failure**: The function expects x > 0 for logarithm calculation, assertion fails 5. **Program Termination**: Assertion failure triggers SIGABRT and program termination ### Vulnerable Code Context ```c // In jpc_math.c:89 unsigned int jpc_floorlog2(uint_fast32_t x) { assert(x > 0); // VULNERABLE ASSERTION // ... logarithm calculation code } ``` The vulnerability occurs when: - User provides malformed codec options like `-O cblkwidth=` (empty value) - Option parsing converts empty/invalid value to 0 - JPEG2000 encoding process calls `jpc_floorlog2(0)` - Assertion fails because 0 is not a valid input for logarithm calculation ## Reproduction Steps ### Command Line Test ```bash # Execute vulnerable command with POC file ./jasper --output-format jp2 -O cblkwidth= --memory-limit 59395 --input POC_jasper_jpc_floorlog2_assertion_failure ``` ### Expected Behavior The command will: 1. Begin JPEG2000 encoding process 2. Process the empty `cblkwidth=` parameter as 0 3. Call `jpc_floorlog2(0)` during encoding 4. Trigger assertion failure at jpc_math.c:89 5. Crash with SIGABRT and "Assertion `x > 0' failed" message ## Proof of Concept **POC File**: [`POC_jasper_jpc_floorlog2_assertion_failure` ](https://drive.google.com/file/d/1pPgndhHh2z0lk99Wt31W-XIW3XWt8FB3/view?usp=drive_link) ## Credit Xudong Cao (UCAS) Yuqing Zhang (UCAS, Zhongguancun Laboratory)
La source⚠️ https://github.com/jasper-software/jasper/issues/401
Utilisateur
 nipc-cxd (UID 88335)
Soumission25/07/2025 14:26 (il y a 9 mois)
Modérer10/08/2025 13:15 (16 days later)
StatutAccepté
Entrée VulDB319370 [JasPer jusqu’à 4.2.5 JPEG2000 Encoder jpc_enc.c jpc_floorlog2 déni de service]
Points20

PrécédentAperçuSuivant

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!