CVE-2014-8157: Use After Free

First published: Tue Jan 06 2015(Updated: )

oCERT reports an issue in jasper discovered by pyddeh: """ jpc_dec.c:1204: dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth); dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight); dec->numtiles = dec->numhtiles * dec->numvtiles; if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) { return -1; } the dec->XXX in JPC_CEILDIV are all directly from the codestream, so dec->numtiles can be 0. In that case, the minimum-sized chunk returned by malloc can, depending on the code stream, be used later. I think this can cause the same problems as a use after free. Fix proposal: if ( dec->numtiles == 0 || !(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) { return -1; } """ Acknowledgement: Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges pyddeh as the original reporter.

Credit: secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/type
• agent/first-publish-date
• agent/references
• agent/weakness
• agent/severity
• agent/author
• agent/description
• collector/nvd-index
• agent/software-canonical-lookup-request
• agent/softwarecombine
• collector/mitre-cve
• source/MITRE
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2014-8157
• agent/software-canonical-lookup
• agent/last-modified-date
• agent/tags
• agent/event
• vendor/opensuse
• canonical/opensuse opensuse
• version/opensuse opensuse/13.1
• version/opensuse opensuse/13.2
• vendor/debian
• canonical/debian debian linux
• version/debian debian linux/7.0
• vendor/redhat
• canonical/redhat enterprise linux
• version/redhat enterprise linux/6.0
• version/redhat enterprise linux/7.0
• vendor/jasper project
• canonical/jasper project jasper
• version/jasper project jasper/1.900.1
• package-manager/redhat