reassign 413033 libjasper-1.701-1 retitle 413033 jasper: Heap corruption on malformed image input. severity 413033 grave tag 413033 + security thanks
Hi Roland! On Thu, Mar 01, 2007 at 09:01:48PM +0100, Daniel Kobras wrote: > On Thu, Mar 01, 2007 at 05:37:39AM +0200, Sami Liedes wrote: > > The attached files all crash imagemagick (eg. XXXtojpg $filename) on > > amd64, some with SEGV, some with glibc detected heap corruption. I > > consider it quite likely that some of these are exploitable, but as > > I'm not sure, only filing as Severity: normal as to not annoy you :) > > Thanks. I've done a quick screening to investigate which of those affect > graphicsmagick, and have cloned individual bugs as I'm probably unable > to deal with all of them in one go. Bug severity might change once I've > had a closer look at the individual issues. Here's the detailed list for > current graphicsmagick: > > Broken import > ============= > > The following coders show problems on "gm identify". (...) > jp2: > broken.jpc ... Segmentation fault > broken2.jp2 ... Segmentation fault > broken4.jp2 ... cannot get marker segment > *** glibc detected *** double free or corruption (!prev): 0x0809d1b8 > *** > (hangs afterwards) I have now checked the above three testcases with a current patchset in graphicsmagick. The first one still causes a segfault, the two jp2 files now both abort with a glibc-detected heap corruption. According to the gdb backtrace, all of those happen deep inside libjasper, so while I haven't done any thorough debugging, I'm quite certain that those are indeed problems in jasper rather than graphicsmagick. Roland, can you please have a look? I'm raising the severity as the two heap corruption issues at least are likely to have security impact. The testcases are attached to the first mail that originally opened this bug. Thanks, Daniel. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
