CVE-2014-8157: Use After Free
First published: Tue Jan 06 2015(Updated: )
oCERT reports an issue in jasper discovered by pyddeh: """ jpc_dec.c:1204: dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth); dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight); dec->numtiles = dec->numhtiles * dec->numvtiles; if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) { return -1; } the dec->XXX in JPC_CEILDIV are all directly from the codestream, so dec->numtiles can be 0. In that case, the minimum-sized chunk returned by malloc can, depending on the code stream, be used later. I think this can cause the same problems as a use after free. Fix proposal: if ( dec->numtiles == 0 || !(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) { return -1; } """ Acknowledgement: Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges pyddeh as the original reporter.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jasper | <1.900.2 | 1.900.2 |
| openSUSE openSUSE | =13.1 | |
| openSUSE openSUSE | =13.2 | |
| Debian Debian Linux | =7.0 | |
| Red Hat Enterprise Linux | =6.0 | |
| Red Hat Enterprise Linux | =7.0 | |
| Jasper Project Jasper | <=1.900.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1179282#c0
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1179282#c2
- http://www.ocert.org/advisories/ocert-2015-001.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1184751
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1184753
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1184750
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1184752
- http://pkgs.fedoraproject.org/cgit/jasper.git/tree/jasper-CVE-2014-8157.patch
- https://rhn.redhat.com/errata/RHSA-2015-0074.html
- https://rhn.redhat.com/errata/RHBA-2015-0075.html
- https://rhn.redhat.com/errata/RHBA-2015-0076.html
- https://rhn.redhat.com/errata/RHBA-2015-0077.html
- https://rhn.redhat.com/errata/RHSA-2015-0698.html
- https://github.com/mdadams/jasper/commit/3fd4067496d8ef70f11841d7492ddeb1f1d56915
- https://bugzilla.redhat.com/show_bug.cgi?id=1179282
- http://advisories.mageia.org/MGASA-2015-0038.html
- http://lists.opensuse.org/opensuse-updates/2015-02/msg00014.html
- http://rhn.redhat.com/errata/RHSA-2015-0074.html
- http://rhn.redhat.com/errata/RHSA-2015-0698.html
- http://secunia.com/advisories/62583
- http://secunia.com/advisories/62615
- http://secunia.com/advisories/62619
- http://secunia.com/advisories/62765
- http://www.debian.org/security/2015/dsa-3138
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:034
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:159
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.securityfocus.com/bid/72296
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.538606
- http://www.ubuntu.com/usn/USN-2483-1
- http://www.ubuntu.com/usn/USN-2483-2
- agent/type
- agent/first-publish-date
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-8157
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/event
- agent/trending
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- agent/source
- package-manager/redhat
- vendor/opensuse
- canonical/opensuse opensuse
- version/opensuse opensuse/13.1
- version/opensuse opensuse/13.2
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/7.0
- vendor/redhat
- canonical/red hat enterprise linux
- version/red hat enterprise linux/6.0
- version/red hat enterprise linux/7.0
- vendor/jasper project
- canonical/jasper project jasper
- version/jasper project jasper/1.900.1