JasPer imginfo Use-After-Free Vulnerability in jpc_dec_dump (Variant 2)

[err2zero]

Summary

During fuzzing, a critical use-after-free vulnerability was discovered in JasPer's imginfo utility when processing malformed JPEG2000 image files. This is the second variant of the use-after-free vulnerability occurring in the jpc_dec_dump function during JPEG2000 decoding, where a heap-allocated memory region is accessed after being freed, leading to memory corruption and potential security exploitation. This variant is distinct from the first, being triggered by different debug levels and input conditions.

Vulnerability Details

Program: imginfo (JasPer Image Information Utility)
Crash Type: SIGABRT (Signal 6)
Root Cause: Use-after-free in jpc_dec_dump function
Trigger: Malformed JPEG2000 image processing with debug level 33554432

Technical Details

Vulnerability Mechanism and Root Cause

Critical Issue: Heap memory access after free
Location: /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:2299
Function: jpc_dec_dump

Root Cause Analysis:

1. Memory Management Error: During JPEG2000 tile processing, heap memory is allocated for decoder structures
2. Premature Deallocation: Memory is freed prematurely during error handling or cleanup operations
3. Continued Access: The jpc_dec_dump function continues to access the freed memory region
4. Use-After-Free Trigger: READ operation on freed memory at address 0x6080000001e8
5. AddressSanitizer Detection: Memory corruption detected and program terminated

AddressSanitizer Report

=================================================================
==2584956==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000001e8 at pc 0x562516b15d7c bp 0x7fff7b7e5290 sp 0x7fff7b7e5288
READ of size 4 at 0x6080000001e8 thread T0
    #0 0x562516b15d7b in jpc_dec_dump /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:2299:13
    #1 0x562516b15d7b in jpc_dec_process_sod /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:638:3
    #2 0x562516b2fda5 in jpc_dec_decode /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:434:10
    #3 0x562516b2fda5 in jpc_decode /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:270:6
    #4 0x562516a8e42a in jas_image_decode /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_image.c:445:16
    #5 0x562516a86961 in main /workspace/benchmark/program/jasper-4.2.5/src/app/imginfo.c:334:16
    #6 0x7f4c05138d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7f4c05138e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #8 0x5625169ab534 in _start (fz-jasper/fz-imginfo/imginfo+0x8d534) (BuildId: 601ffe42860d8d81)

0x6080000001e8 is located 72 bytes inside of 96-byte region [0x6080000001a0,0x608000000200)
freed by thread T0 here:
    #0 0x562516a450b6 in free (fz-jasper/fz-imginfo/imginfo+0x1270b6) (BuildId: 601ffe42860d8d81)
    #1 0x562516abda2f in jas_basic_free /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_malloc.c:615:3

previously allocated by thread T0 here:
    #0 0x562516a4535e in malloc (fz-jasper/fz-imginfo/imginfo+0x12735e) (BuildId: 601ffe42860d8d81)
    #1 0x562516abbcad in jas_std_alloc /workspace/benchmark/program/jasper-4.2.5/src/libjasper/base/jas_malloc.c:276:17

SUMMARY: AddressSanitizer: heap-use-after-free /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_dec.c:2299:13 in jpc_dec_dump
Shadow bytes around the buggy address:
  0x607fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x607fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x608000000000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x608000000080: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 03 fa
  0x608000000100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x608000000180: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x608000000200: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x608000000280: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x608000000300: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x608000000380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x608000000400: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2584956==ABORTING
Aborted (core dumped)

Vulnerable Code Context

The vulnerability occurs in the JPEG2000 decoder when processing tile data:

// In jpc_dec.c:2299 (jpc_dec_dump function)
// Memory access on previously freed heap region
// READ of size 4 at 0x6080000001e8

Critical Call Chain:

1. main() → jas_image_decode()
2. jas_image_decode() → jpc_decode()
3. jpc_decode() → jpc_dec_decode()
4. jpc_dec_decode() → jpc_dec_process_sod()
5. jpc_dec_process_sod() → jpc_dec_dump() ← CRASH HERE

Proof of Concept

POC File: POC_jasper_imginfo_use_after_free_jpc_dec_dump_2
Content: Malformed JPEG2000 image file that triggers use-after-free in decoder

Reproduction Steps

Command Line Test

# Execute vulnerable command with POC file
imginfo --debug-level 33554432 -f POC_jasper_imginfo_use_after_free_jpc_dec_dump_2

Expected Behavior

The command will:

1. Begin JPEG2000 image analysis with debug level 33554432
2. Start decoding malformed JPEG2000 tile data
3. Trigger memory deallocation during error handling
4. Continue execution and access freed memory in jpc_dec_dump
5. AddressSanitizer detects use-after-free at jpc_dec.c:2299
6. Program crashes with detailed memory corruption report

Command

• --debug-level 33554432: Enable debug output level 33554432 (triggers specific code path for Variant 2)
• -f: Specify input file path

Affected Versions

JasPer Version: 4.2.5 and the newest master
Build Configuration: Compiled with AddressSanitizer for vulnerability detection
Platform: Linux x86_64

Credit

Xudong Cao (UCAS), Yuqing Zhang (UCAS, Zhongguancun Laboratory)

[mdadams]

I'm not sure why GitHub did not automatically close this issue In any case, this issue is fixed now by commit 8308060.

[err2zero]

Thank you for the quick fix and the follow-up.

[jubalh]

This got assigned CVE-2025-8837