JasPer jpc_floorlog2 Assertion Failure Vulnerability

[err2zero]

Summary

A critical assertion failure vulnerability exists in JasPer's JPEG2000 codec when processing malformed image files. The vulnerability occurs in the jpc_floorlog2 function when it receives invalid input parameters, causing the assertion x > 0 to fail and resulting in program termination.

Vulnerability Details

Program: jasper (JasPer Image Processing Library)
Crash Type: SIGABRT (Signal 6)
Version: The newest master && jasper-4.2.5
Root Cause: Assertion failure in jpc_floorlog2 function
Trigger: Malformed JPEG2000 image processing with invalid cblkwidth parameter

Technical Analysis

Actual Crash Output

jasper: /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_math.c:89: unsigned int jpc_floorlog2(uint_fast32_t): Assertion `x > 0' failed.
Aborted

GDB Stack Trace Reference

jasper: jpc_math.c:89: unsigned int jpc_floorlog2(uint_fast32_t): Assertion `x > 0' failed.

Program received signal SIGABRT, Aborted.
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737350377664)
#1  __pthread_kill_internal (signo=6, threadid=140737350377664)
#2  __GI___pthread_kill (threadid=140737350377664, signo=signo@entry=6)
#3  0x00007ffff7cad476 in __GI_raise (sig=sig@entry=6)
#4  0x00007ffff7c937f3 in __GI_abort ()
#5  0x00007ffff7c9371b in __assert_fail_base
#6  0x00007ffff7ca4e96 in __GI___assert_fail (assertion=0x5555555b35a0 "x > 0", file=0x5555555b35c0 "jpc_math.c", line=89, function=0x5555555b3640 "jpc_floorlog2")
#7  0x0000555555784d94 in cp_create (optstr=<optimized out>, image=0x608000000140)
#8  jpc_encode (image=<optimized out>, out=<optimized out>, optstr=<optimized out>)
#9  0x000055555573b6eb in jp2_encode (image=0x608000000140, out=<optimized out>, optstr=<optimized out>)
#10 0x00005555556c024f in main (argc=<optimized out>, argv=<optimized out>)

Vulnerability Mechanism

Failed Assertion: assert(x > 0) in jpc_floorlog2(uint_fast32_t x)
Location: /src/libjasper/jpc/jpc_math.c:89

Root Cause Analysis:

1. Parameter Processing: JasPer processes the -O cblkwidth= option with empty or invalid value
2. Invalid Value Propagation: The empty/malformed parameter value gets converted to 0
3. Math Function Failure: jpc_floorlog2() function is called with x=0, violating its precondition
4. Assertion Failure: The function expects x > 0 for logarithm calculation, assertion fails
5. Program Termination: Assertion failure triggers SIGABRT and program termination

Vulnerable Code Context

// In jpc_math.c:89
unsigned int jpc_floorlog2(uint_fast32_t x)
{
    assert(x > 0);  // VULNERABLE ASSERTION
    // ... logarithm calculation code
}

The vulnerability occurs when:

• User provides malformed codec options like -O cblkwidth= (empty value)
• Option parsing converts empty/invalid value to 0
• JPEG2000 encoding process calls jpc_floorlog2(0)
• Assertion fails because 0 is not a valid input for logarithm calculation

Reproduction Steps

Command Line Test

# Execute vulnerable command with POC file
./jasper --output-format jp2 -O cblkwidth= --memory-limit 59395 --input POC_jasper_jpc_floorlog2_assertion_failure

Expected Behavior

The command will:

1. Begin JPEG2000 encoding process
2. Process the empty cblkwidth= parameter as 0
3. Call jpc_floorlog2(0) during encoding
4. Trigger assertion failure at jpc_math.c:89
5. Crash with SIGABRT and "Assertion `x > 0' failed" message

Proof of Concept

POC File: POC_jasper_jpc_floorlog2_assertion_failure

Credit

Xudong Cao (UCAS)

Yuqing Zhang (UCAS, Zhongguancun Laboratory)

[jubalh]

This got assigned CVE-2025-8836