Отправить #630487: jasper imginfo JasPer Version**: 4.2.5 and the newest master Use-after-freeИнформация

Названиеjasper imginfo JasPer Version**: 4.2.5 and the newest master Use-after-free
Описание## Summary During fuzzing, a critical use-after-free vulnerability was discovered in JasPer's imginfo utility when processing malformed JPEG2000 image files. The vulnerability occurs in the `jpc_dec_dump` function during JPEG2000 decoding, where a heap-allocated memory region is accessed after being freed, leading to memory corruption and potential security exploitation. ## Vulnerability Details **Program**: imginfo (JasPer Image Information Utility) **Crash Type**: SIGABRT (Signal 6) **Root Cause**: Use-after-free in jpc_dec_dump function **Trigger**: Malformed JPEG2000 image processing with debug level 32 ## Technical Details ### Vulnerability Mechanism and Root Cause **Critical Issue**: Heap memory access after free **Location**: `/workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:2299` **Function**: `jpc_dec_dump` **Root Cause Analysis**: 1. **Memory Management Error**: During JPEG2000 tile processing, heap memory is allocated for decoder structures 2. **Premature Deallocation**: Memory is freed prematurely during error handling or cleanup operations 3. **Continued Access**: The `jpc_dec_dump` function continues to access the freed memory region 4. **Use-After-Free Trigger**: READ operation on freed memory at address 0x6080000001e8 5. **AddressSanitizer Detection**: Memory corruption detected and program terminated ### AddressSanitizer Report ``` ================================================================= ==2584920==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000001e8 at pc 0x557250b99d7c bp 0x7ffc6f063930 sp 0x7ffc6f063928 READ of size 4 at 0x6080000001e8 thread T0 #0 0x557250b99d7b in jpc_dec_dump /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:2299:13 #1 0x557250b99d7b in jpc_dec_process_sod /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:638:3 #2 0x557250bb3da5 in jpc_dec_decode /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:434:10 #3 0x557250bb3da5 in jpc_decode /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:270:6 #4 0x557250b1242a in jas_image_decode /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_image.c:445:16 #5 0x557250b0a961 in main /workspace/benchmark/program/jasper-4.2.5/src/app/imginfo.c:334:16 #6 0x7f2780a32d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #7 0x7f2780a32e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #8 0x557250a2f534 in _start (fz-jasper/fz-imginfo/imginfo+0x8d534) (BuildId: 601ffe42860d8d81) 0x6080000001e8 is located 72 bytes inside of 96-byte region [0x6080000001a0,0x608000000200) freed by thread T0 here: #0 0x557250ac90b6 in free (fz-jasper/fz-imginfo/imginfo+0x1270b6) (BuildId: 601ffe42860d8d81) #1 0x557250b41a2f in jas_basic_free /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_malloc.c:615:3 previously allocated by thread T0 here: #0 0x557250ac935e in malloc (fz-jasper/fz-imginfo/imginfo+0x1270b6) (BuildId: 601ffe42860d8d81) #1 0x557250b3fcad in jas_std_alloc /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_malloc.c:276:17 SUMMARY: AddressSanitizer: heap-use-after-free /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:2299:13 in jpc_dec_dump Shadow bytes around the buggy address: 0x607fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x607fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x608000000000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa 0x608000000080: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 03 fa 0x608000000100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 =>0x608000000180: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd 0x608000000200: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x608000000280: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x608000000300: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa 0x608000000380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x608000000400: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==2584920==ABORTING Aborted (core dumped) ``` ### Vulnerable Code Context The vulnerability occurs in the JPEG2000 decoder when processing tile data: ```c // In jpc_dec.c:2299 (jpc_dec_dump function) // Memory access on previously freed heap region // READ of size 4 at 0x6080000001e8 ``` **Critical Call Chain**: 1. `main()` → `jas_image_decode()` 2. `jas_image_decode()` → `jpc_decode()` 3. `jpc_decode()` → `jpc_dec_decode()` 4. `jpc_dec_decode()` → `jpc_dec_process_sod()` 5. `jpc_dec_process_sod()` → `jpc_dec_dump()` ← **CRASH HERE** ## Proof of Concept **POC File**: [POC_jasper_imginfo_use_after_free_jpc_dec_dump_1](https://drive.google.com/file/d/17Ic_DDOlH7mMT7IbTN2Bmo6SrujIUh24/view?usp=sharing) **Content**: Malformed JPEG2000 image file that triggers use-after-free in decoder ## Reproduction Steps ### Command Line Test ```bash # Execute vulnerable command with POC file fz-jasper/fz-imginfo/imginfo --debug-level 32 -f POC_jasper_imginfo_use_after_free_jpc_dec_dump_1 ``` ### Expected Behavior The command will: 1. Begin JPEG2000 image analysis with debug level 32 2. Start decoding malformed JPEG2000 tile data 3. Trigger memory deallocation during error handling 4. Continue execution and access freed memory in `jpc_dec_dump` 5. AddressSanitizer detects use-after-free at jpc_dec.c:2299 6. Program crashes with detailed memory corruption report ### Command Options - `--debug-level 32`: Enable debug output level 32 (triggers specific code path) - `-f`: Specify input file path ## Affected Versions **JasPer Version**: 4.2.5 and the newest master **Build Configuration**: Compiled with AddressSanitizer for vulnerability detection **Platform**: Linux x86_64 ## Credit Xudong Cao (UCAS), Yuqing Zhang (UCAS, Zhongguancun Laboratory)
Источник⚠️ https://github.com/jasper-software/jasper/issues/402
Пользователь
 rootsec (UID 85929)
Представление07.08.2025 21:08 (9 месяцы назад)
Модерация10.08.2025 13:15 (3 days later)
Статуспринято
Запись VulDB319371 [JasPer до 4.2.5 JPEG2000 File jpc_dec.c jpc_dec_dump повреждение памяти]
Баллы20

ПредыдущийОбзорДалее

Do you need the next level of professionalism?

Upgrade your account now!