Отправить #630488: jasper imginfo JasPer Version**: 4.2.5 and the newest master Use-after-freeИнформация

Названиеjasper imginfo JasPer Version**: 4.2.5 and the newest master Use-after-free
Описание## Summary During fuzzing, a critical use-after-free vulnerability was discovered in JasPer's imginfo utility when processing malformed JPEG2000 image files. This is the second variant of the use-after-free vulnerability occurring in the `jpc_dec_dump` function during JPEG2000 decoding, where a heap-allocated memory region is accessed after being freed, leading to memory corruption and potential security exploitation. This variant is distinct from the first, being triggered by different debug levels and input conditions. ## Vulnerability Details **Program**: imginfo (JasPer Image Information Utility) **Crash Type**: SIGABRT (Signal 6) **Root Cause**: Use-after-free in jpc_dec_dump function **Trigger**: Malformed JPEG2000 image processing with debug level 33554432 ## Technical Details ### Vulnerability Mechanism and Root Cause **Critical Issue**: Heap memory access after free **Location**: `/workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:2299` **Function**: `jpc_dec_dump` **Root Cause Analysis**: 1. **Memory Management Error**: During JPEG2000 tile processing, heap memory is allocated for decoder structures 2. **Premature Deallocation**: Memory is freed prematurely during error handling or cleanup operations 3. **Continued Access**: The `jpc_dec_dump` function continues to access the freed memory region 4. **Use-After-Free Trigger**: READ operation on freed memory at address 0x6080000001e8 5. **AddressSanitizer Detection**: Memory corruption detected and program terminated ### AddressSanitizer Report ``` ================================================================= ==2584956==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000001e8 at pc 0x562516b15d7c bp 0x7fff7b7e5290 sp 0x7fff7b7e5288 READ of size 4 at 0x6080000001e8 thread T0 #0 0x562516b15d7b in jpc_dec_dump /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:2299:13 #1 0x562516b15d7b in jpc_dec_process_sod /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:638:3 #2 0x562516b2fda5 in jpc_dec_decode /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:434:10 #3 0x562516b2fda5 in jpc_decode /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:270:6 #4 0x562516a8e42a in jas_image_decode /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_image.c:445:16 #5 0x562516a86961 in main /workspace/benchmark/program/jasper-4.2.5/src/app/imginfo.c:334:16 #6 0x7f4c05138d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #7 0x7f4c05138e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #8 0x5625169ab534 in _start (fz-jasper/fz-imginfo/imginfo+0x8d534) (BuildId: 601ffe42860d8d81) 0x6080000001e8 is located 72 bytes inside of 96-byte region [0x6080000001a0,0x608000000200) freed by thread T0 here: #0 0x562516a450b6 in free (fz-jasper/fz-imginfo/imginfo+0x1270b6) (BuildId: 601ffe42860d8d81) #1 0x562516abda2f in jas_basic_free /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_malloc.c:615:3 previously allocated by thread T0 here: #0 0x562516a4535e in malloc (fz-jasper/fz-imginfo/imginfo+0x12735e) (BuildId: 601ffe42860d8d81) #1 0x562516abbcad in jas_std_alloc /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_malloc.c:276:17 SUMMARY: AddressSanitizer: heap-use-after-free /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:2299:13 in jpc_dec_dump Shadow bytes around the buggy address: 0x607fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x607fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x608000000000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa 0x608000000080: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 03 fa 0x608000000100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 =>0x608000000180: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd 0x608000000200: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x608000000280: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x608000000300: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa 0x608000000380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x608000000400: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==2584956==ABORTING Aborted (core dumped) ``` ### Vulnerable Code Context The vulnerability occurs in the JPEG2000 decoder when processing tile data: ```c // In jpc_dec.c:2299 (jpc_dec_dump function) // Memory access on previously freed heap region // READ of size 4 at 0x6080000001e8 ``` **Critical Call Chain**: 1. `main()` → `jas_image_decode()` 2. `jas_image_decode()` → `jpc_decode()` 3. `jpc_decode()` → `jpc_dec_decode()` 4. `jpc_dec_decode()` → `jpc_dec_process_sod()` 5. `jpc_dec_process_sod()` → `jpc_dec_dump()` ← **CRASH HERE** ## Proof of Concept **POC File**: [POC_jasper_imginfo_use_after_free_jpc_dec_dump_2](https://drive.google.com/file/d/1pWzx6MlyWdl1usFiwBZT3cJ8Nf8LX6GJ/view?usp=sharing) **Content**: Malformed JPEG2000 image file that triggers use-after-free in decoder ## Reproduction Steps ### Command Line Test ```bash # Execute vulnerable command with POC file imginfo --debug-level 33554432 -f POC_jasper_imginfo_use_after_free_jpc_dec_dump_2 ``` ### Expected Behavior The command will: 1. Begin JPEG2000 image analysis with debug level 33554432 2. Start decoding malformed JPEG2000 tile data 3. Trigger memory deallocation during error handling 4. Continue execution and access freed memory in `jpc_dec_dump` 5. AddressSanitizer detects use-after-free at jpc_dec.c:2299 6. Program crashes with detailed memory corruption report ### Command - `--debug-level 33554432`: Enable debug output level 33554432 (triggers specific code path for Variant 2) - `-f`: Specify input file path ## Affected Versions **JasPer Version**: 4.2.5 and the newest master **Build Configuration**: Compiled with AddressSanitizer for vulnerability detection **Platform**: Linux x86_64 ## Credit Xudong Cao (UCAS), Yuqing Zhang (UCAS, Zhongguancun Laboratory)
Источник⚠️ https://github.com/jasper-software/jasper/issues/403
Пользователь
 rootsec (UID 85929)
Представление07.08.2025 21:08 (9 месяцы назад)
Модерация10.08.2025 13:15 (3 days later)
СтатусДубликат
Запись VulDB319371 [JasPer до 4.2.5 JPEG2000 File jpc_dec.c jpc_dec_dump повреждение памяти]
Баллы0

ПредыдущийОбзорДалее

Do you know our Splunk app?

Download it now for free!