| Title | JasPer The newest master && jasper-4.2.5 Null Pointer Dereference |
|---|
| Description | ## Summary
A critical null pointer dereference vulnerability exists in JasPer's image color space conversion function `jas_image_chclrspc`. When processing malformed image files with specific command-line options, the function receives a null image pointer and attempts to dereference it, causing immediate segmentation fault.
## Vulnerability Details
**Program**: jasper (JasPer Image Processing Library)
**Crash Type**: SIGSEGV (Signal 11)
**Version**:The newest master && jasper-4.2.5
**Root Cause**: Null pointer dereference in jas_image_chclrspc function
**Trigger**: Malformed image file processing with BMP output format and color space conversion
## Technical Analysis
### AddressSanitizer Report
```
warning: skipping unknown tag type
warning: skipping unknown tag type
warning: skipping unknown tag type
warning: skipping unknown tag type
warning: skipping unknown tag type
warning: skipping unknown tag type
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2963290==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x556544a89b61 bp 0x7ffe7981a4b0 sp 0x7ffe7981a300 T0)
==2963290==The signal is caused by a READ memory access.
==2963290==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used.
#0 0x556544a89b61 in jas_image_chclrspc /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_image.c:1707:24
#1 0x556544a49e47 in main /workspace/benchmark/program/jasper-4.2.5/src/app/jasper.c:352:20
#2 0x7faf47643d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#3 0x7faf47643e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#4 0x55654496d0b4 in _start (/workspace/benchmark/fuzzdir/fz-jasper/fz-jasper/jasper+0x8f0b4) (BuildId: 3db493b2468a620b)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_image.c:1707:24 in jas_image_chclrspc
==2963290==ABORTING
```
### GDB Stack Trace Reference
```gdb
Program received signal SIGSEGV, Segmentation fault.
0x00005555556ffb61 in jas_image_chclrspc (image=0x0, outprof=<optimized out>, intent=<optimized out>) at /src/libjasper/base/jas_image.c:1707
1707 incmptfmts[i].prec = jas_image_cmptprec(inimage, j);
#0 0x00005555556ffb61 in jas_image_chclrspc (image=0x0, outprof=<optimized out>, intent=<optimized out>) at /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_image.c:1707
#1 0x00005555556bfe48 in main (argc=<optimized out>, argv=<optimized out>) at /workspace/benchmark/program/jasper-4.2.5/src/app/jasper.c:352
```
### Vulnerability Mechanism
**Critical Issue**: `image=0x0` (NULL pointer)
**Location**: `/src/libjasper/base/jas_image.c:1707`
**Root Cause Analysis**:
1. **Image Loading Failure**: Malformed input file causes image loading to fail, returning NULL
2. **Missing Validation**: The main function doesn't validate the image pointer before passing it to color space conversion
3. **Null Pointer Access**: `jas_image_chclrspc()` function attempts to access `image` fields without null check
4. **Dereference Crash**: Access to `jas_image_cmptprec(inimage, j)` where `inimage` is NULL triggers SIGSEGV
### Vulnerable Code Context
```c
// In jas_image.c:1707
incmptfmts[i].prec = jas_image_cmptprec(inimage, j); // inimage is NULL
```
The vulnerability occurs when:
- Input file contains malformed image data that fails to load properly
- Image loading functions return NULL to indicate failure
- Main function passes NULL image pointer to `jas_image_chclrspc()` without validation
- Color space conversion function tries to access image properties through null pointer
## Reproduction Steps
### Command Line Test
```bash
# Execute vulnerable command with POC file
./jasper --output-format bmp --cmptno ppm -S --input POC_jasper_null_pointer_dereference
```
### Expected Behavior
The command will:
1. Attempt to load malformed image file
2. Image loading fails and returns NULL
3. Main function passes NULL pointer to color space conversion
4. `jas_image_chclrspc()` tries to dereference null pointer
5. Crash with SIGSEGV at jas_image.c:1707
## Distinction from Assertion Failure Vulnerability
This vulnerability is **distinct** from the SIGABRT assertion failure (another report):
### Key Differences:
| Aspect | Assertion Failure (My other report) | Null Dereference (This Report) |
|--------|------------------------------------|---------------------------------|
| **Signal** | SIGABRT (6) | SIGSEGV (11) |
| **Location** | `jpc_math.c:89` | `jas_image.c:1707` |
| **Function** | `jpc_floorlog2` | `jas_image_chclrspc` |
| **Root Cause** | Invalid parameter (x=0) to math function | Null pointer passed to image function |
| **Trigger Options** | `--output-format jp2 -O cblkwidth=` | `--output-format bmp --cmptno ppm -S` |
## Proof of Concept
**POC File**: [`POC_jasper_null_pointer_dereference`](https://drive.google.com/file/d/1E754R-FsFkNJp9OYtu6Dqjv47uGSVP18/view?usp=sharing)
## Credit
Xudong Cao (UCAS)
Yuqing Zhang (UCAS, Zhongguancun Laboratory) |
|---|
| Source | ⚠️ https://github.com/jasper-software/jasper/issues/400 |
|---|
| User | nipc-cxd (UID 88335) |
|---|
| Submission | 07/25/2025 14:25 (9 months ago) |
|---|
| Moderation | 08/10/2025 13:14 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 319369 [JasPer up to 4.2.5 Image Color Space Conversion jas_image.c jas_image_chclrspc null pointer dereference] |
|---|
| Points | 20 |
|---|