Summary
During fuzzing, a critical use-after-free vulnerability was discovered in JasPer's imginfo utility when processing malformed JPEG2000 image files. The vulnerability occurs in the jpc_dec_dump function during JPEG2000 decoding, where a heap-allocated memory region is accessed after being freed, leading to memory corruption and potential security exploitation.
Vulnerability Details
Program: imginfo (JasPer Image Information Utility)
Crash Type: SIGABRT (Signal 6)
Root Cause: Use-after-free in jpc_dec_dump function
Trigger: Malformed JPEG2000 image processing with debug level 32
Technical Details
Vulnerability Mechanism and Root Cause
Critical Issue: Heap memory access after free
Location: /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:2299
Function: jpc_dec_dump
Root Cause Analysis:
- Memory Management Error: During JPEG2000 tile processing, heap memory is allocated for decoder structures
- Premature Deallocation: Memory is freed prematurely during error handling or cleanup operations
- Continued Access: The
jpc_dec_dump function continues to access the freed memory region
- Use-After-Free Trigger: READ operation on freed memory at address 0x6080000001e8
- AddressSanitizer Detection: Memory corruption detected and program terminated
AddressSanitizer Report
=================================================================
==2584920==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000001e8 at pc 0x557250b99d7c bp 0x7ffc6f063930 sp 0x7ffc6f063928
READ of size 4 at 0x6080000001e8 thread T0
#0 0x557250b99d7b in jpc_dec_dump /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:2299:13
#1 0x557250b99d7b in jpc_dec_process_sod /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:638:3
#2 0x557250bb3da5 in jpc_dec_decode /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:434:10
#3 0x557250bb3da5 in jpc_decode /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:270:6
#4 0x557250b1242a in jas_image_decode /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_image.c:445:16
#5 0x557250b0a961 in main /workspace/benchmark/program/jasper-4.2.5/src/app/imginfo.c:334:16
#6 0x7f2780a32d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#7 0x7f2780a32e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#8 0x557250a2f534 in _start (fz-jasper/fz-imginfo/imginfo+0x8d534) (BuildId: 601ffe42860d8d81)
0x6080000001e8 is located 72 bytes inside of 96-byte region [0x6080000001a0,0x608000000200)
freed by thread T0 here:
#0 0x557250ac90b6 in free (fz-jasper/fz-imginfo/imginfo+0x1270b6) (BuildId: 601ffe42860d8d81)
#1 0x557250b41a2f in jas_basic_free /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_malloc.c:615:3
previously allocated by thread T0 here:
#0 0x557250ac935e in malloc (fz-jasper/fz-imginfo/imginfo+0x1270b6) (BuildId: 601ffe42860d8d81)
#1 0x557250b3fcad in jas_std_alloc /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_malloc.c:276:17
SUMMARY: AddressSanitizer: heap-use-after-free /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:2299:13 in jpc_dec_dump
Shadow bytes around the buggy address:
0x607fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x607fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x608000000000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x608000000080: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 03 fa
0x608000000100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x608000000180: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd
0x608000000200: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x608000000280: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x608000000300: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x608000000380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x608000000400: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2584920==ABORTING
Aborted (core dumped)
Vulnerable Code Context
The vulnerability occurs in the JPEG2000 decoder when processing tile data:
// In jpc_dec.c:2299 (jpc_dec_dump function)
// Memory access on previously freed heap region
// READ of size 4 at 0x6080000001e8
Critical Call Chain:
main() → jas_image_decode()jas_image_decode() → jpc_decode()jpc_decode() → jpc_dec_decode()jpc_dec_decode() → jpc_dec_process_sod()jpc_dec_process_sod() → jpc_dec_dump() ← CRASH HERE
Proof of Concept
POC File: POC_jasper_imginfo_use_after_free_jpc_dec_dump_1
Content: Malformed JPEG2000 image file that triggers use-after-free in decoder
Reproduction Steps
Command Line Test
# Execute vulnerable command with POC file
fz-jasper/fz-imginfo/imginfo --debug-level 32 -f POC_jasper_imginfo_use_after_free_jpc_dec_dump_1
Expected Behavior
The command will:
- Begin JPEG2000 image analysis with debug level 32
- Start decoding malformed JPEG2000 tile data
- Trigger memory deallocation during error handling
- Continue execution and access freed memory in
jpc_dec_dump
- AddressSanitizer detects use-after-free at jpc_dec.c:2299
- Program crashes with detailed memory corruption report
Command Options
--debug-level 32: Enable debug output level 32 (triggers specific code path)-f: Specify input file path
Affected Versions
JasPer Version: 4.2.5 and the newest master
Build Configuration: Compiled with AddressSanitizer for vulnerability detection
Platform: Linux x86_64
Credit
Xudong Cao (UCAS), Yuqing Zhang (UCAS, Zhongguancun Laboratory)
Summary
During fuzzing, a critical use-after-free vulnerability was discovered in JasPer's imginfo utility when processing malformed JPEG2000 image files. The vulnerability occurs in the
jpc_dec_dumpfunction during JPEG2000 decoding, where a heap-allocated memory region is accessed after being freed, leading to memory corruption and potential security exploitation.Vulnerability Details
Program: imginfo (JasPer Image Information Utility)
Crash Type: SIGABRT (Signal 6)
Root Cause: Use-after-free in jpc_dec_dump function
Trigger: Malformed JPEG2000 image processing with debug level 32
Technical Details
Vulnerability Mechanism and Root Cause
Critical Issue: Heap memory access after free
Location:
/workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:2299Function:
jpc_dec_dumpRoot Cause Analysis:
jpc_dec_dumpfunction continues to access the freed memory regionAddressSanitizer Report
Vulnerable Code Context
The vulnerability occurs in the JPEG2000 decoder when processing tile data:
Critical Call Chain:
main()→jas_image_decode()jas_image_decode()→jpc_decode()jpc_decode()→jpc_dec_decode()jpc_dec_decode()→jpc_dec_process_sod()jpc_dec_process_sod()→jpc_dec_dump()← CRASH HEREProof of Concept
POC File: POC_jasper_imginfo_use_after_free_jpc_dec_dump_1
Content: Malformed JPEG2000 image file that triggers use-after-free in decoder
Reproduction Steps
Command Line Test
# Execute vulnerable command with POC file fz-jasper/fz-imginfo/imginfo --debug-level 32 -f POC_jasper_imginfo_use_after_free_jpc_dec_dump_1Expected Behavior
The command will:
jpc_dec_dumpCommand Options
--debug-level 32: Enable debug output level 32 (triggers specific code path)-f: Specify input file pathAffected Versions
JasPer Version: 4.2.5 and the newest master
Build Configuration: Compiled with AddressSanitizer for vulnerability detection
Platform: Linux x86_64
Credit
Xudong Cao (UCAS), Yuqing Zhang (UCAS, Zhongguancun Laboratory)