| Summary: | <media-libs/jasper-1.900.6: Use-after-free (and double-free) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | aoaaxy+gentoobugzilla, sci, zazdxscf+bugs.gentoo.org |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://seclists.org/oss-sec/2015/q3/408 | ||
| Whiteboard: | B3 [noglsa cve] | ||
| Package list: | Runtime testing required: | --- | |
This is fixed in the latest jasper-1.900.6 We will stabilize it. Bug rating for this package has been B. Severity adjusted. GLSA Vote: No |
From ${URL} : A new use-after-free was found in Jasper JPEG-200. The use-after-free appears in the function mif_process_cmpt of the src/libjasper/mif/mif_cod.c file. Both tvp and tvp->buf are freed by jas_tvparser_destroy(tvp) (line 572), but if one of the two following branch conditions is taken (line 573/576), a second call to jas_tvparser_destroy(tvp) occurs (line 586). It is a use-after-free because before calling free in jas_tvparser_destroy there is a check to tvp->buf, while tvp could have been freed. Two double free take place just after this check (on tvp->buf and tvp). A simple fix should be to move the first call of jas_tvparser_destroy after the two branch conditions (or set tvp to NULL after it has been freed in mif_process_cmpt). @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.