JasPer jas_image_chclrspc Null Pointer Dereference Vulnerability

[err2zero]

Summary

A critical null pointer dereference vulnerability exists in JasPer's image color space conversion function jas_image_chclrspc. When processing malformed image files with specific command-line options, the function receives a null image pointer and attempts to dereference it, causing immediate segmentation fault.

Vulnerability Details

Program: jasper (JasPer Image Processing Library)
Crash Type: SIGSEGV (Signal 11)
Version:The newest master && jasper-4.2.5
Root Cause: Null pointer dereference in jas_image_chclrspc function
Trigger: Malformed image file processing with BMP output format and color space conversion

Technical Analysis

AddressSanitizer Report

warning: skipping unknown tag type
warning: skipping unknown tag type
warning: skipping unknown tag type
warning: skipping unknown tag type
warning: skipping unknown tag type
warning: skipping unknown tag type
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2963290==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x556544a89b61 bp 0x7ffe7981a4b0 sp 0x7ffe7981a300 T0)
==2963290==The signal is caused by a READ memory access.
==2963290==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x556544a89b61 in jas_image_chclrspc /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_image.c:1707:24
    #1 0x556544a49e47 in main /workspace/benchmark/program/jasper-4.2.5/src/app/jasper.c:352:20
    #2 0x7faf47643d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #3 0x7faf47643e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #4 0x55654496d0b4 in _start (/workspace/benchmark/fuzzdir/fz-jasper/fz-jasper/jasper+0x8f0b4) (BuildId: 3db493b2468a620b)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_image.c:1707:24 in jas_image_chclrspc
==2963290==ABORTING

GDB Stack Trace Reference

Program received signal SIGSEGV, Segmentation fault.
0x00005555556ffb61 in jas_image_chclrspc (image=0x0, outprof=<optimized out>, intent=<optimized out>) at /src/libjasper/base/jas_image.c:1707
1707			incmptfmts[i].prec = jas_image_cmptprec(inimage, j);

#0  0x00005555556ffb61 in jas_image_chclrspc (image=0x0, outprof=<optimized out>, intent=<optimized out>) at /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_image.c:1707
#1  0x00005555556bfe48 in main (argc=<optimized out>, argv=<optimized out>) at /workspace/benchmark/program/jasper-4.2.5/src/app/jasper.c:352

Vulnerability Mechanism

Critical Issue: image=0x0 (NULL pointer)
Location: /src/libjasper/base/jas_image.c:1707

Root Cause Analysis:

1. Image Loading Failure: Malformed input file causes image loading to fail, returning NULL
2. Missing Validation: The main function doesn't validate the image pointer before passing it to color space conversion
3. Null Pointer Access: jas_image_chclrspc() function attempts to access image fields without null check
4. Dereference Crash: Access to jas_image_cmptprec(inimage, j) where inimage is NULL triggers SIGSEGV

Vulnerable Code Context

// In jas_image.c:1707
incmptfmts[i].prec = jas_image_cmptprec(inimage, j);  // inimage is NULL

The vulnerability occurs when:

• Input file contains malformed image data that fails to load properly
• Image loading functions return NULL to indicate failure
• Main function passes NULL image pointer to jas_image_chclrspc() without validation
• Color space conversion function tries to access image properties through null pointer

Reproduction Steps

Command Line Test

# Execute vulnerable command with POC file
./jasper --output-format bmp --cmptno ppm -S --input POC_jasper_null_pointer_dereference

Expected Behavior

The command will:

1. Attempt to load malformed image file
2. Image loading fails and returns NULL
3. Main function passes NULL pointer to color space conversion
4. jas_image_chclrspc() tries to dereference null pointer
5. Crash with SIGSEGV at jas_image.c:1707

Distinction from Assertion Failure Vulnerability

This vulnerability is distinct from the SIGABRT assertion failure (another report):

Key Differences:

Aspect	Assertion Failure (My other report)	Null Dereference (This Report)
Signal	SIGABRT (6)	SIGSEGV (11)
Location	jpc_math.c:89	jas_image.c:1707
Function	jpc_floorlog2	jas_image_chclrspc
Root Cause	Invalid parameter (x=0) to math function	Null pointer passed to image function
Trigger Options	--output-format jp2 -O cblkwidth=	--output-format bmp --cmptno ppm -S

Proof of Concept

POC File: POC_jasper_null_pointer_dereference

Credit

Xudong Cao (UCAS)

Yuqing Zhang (UCAS, Zhongguancun Laboratory)

[mdadams]

@err2zero: I examined this issue in detail. Your comment for jas_image.c:1707 is not correct, as inimage is not null. The problem is that j is -1, which results in out-of-bounds array indexing. In any case, your analysis was still helpful. Thank you for your bug report. I have prepared a fix for this issue, which I will push shortly, after performing some additional testing. Incidentally, if you have a CVE for this issue, please let me know so that I can document that the CVE is fixed.

[err2zero]

@err2zero: I examined this issue in detail. Your comment for jas_image.c:1707 is not correct, as inimage is not null. The problem is that j is -1, which results in out-of-bounds array indexing. In any case, your analysis was still helpful. Thank you for your bug report. I have prepared a fix for this issue, which I will push shortly, after performing some additional testing. Incidentally, if you have a CVE for this issue, please let me know so that I can document that the CVE is fixed.

Thank you for the quick fix and the follow-up! I’ve now received CVE-2025-8835 for this issue.

[mdadams]

@err2zero : I added a reference to your CVE in the NEWS document. See commit 1d4ccc7.