Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62201787518
HistoryJun 30, 2017 - 12:00 a.m.

JapsPer pointer undefined vulnerability analysis-vulnerability warning-the black bar safety net

2017-06-3000:00:00
佚名
www.myhack58.com
31
JSON

0×01: introduction
JapsPer project is an open source project, it provides a method based on the jpeg-2000 part of the standard. This project was originally developed by Image Power and University of British Columbia collaboration. Currently, the ongoing JapsPer software maintenance and development main author Michael Adams coordination, he is a University of Victoria electrical and Computer Engineering Department digital signal processing group(DSPG)of the members. Affected version is 2. 0. 12.
0×02: the analysis
Trigger exception information:
! [](/Article/UploadPic/2017-6/201763092557201. png? www. myhack58. com)
Preliminary analysis is due to the function jpc_dec. c function jpc_dequantize caused core dumped
main() to the error between the called relationship of 1:
! [](/Article/UploadPic/2017-6/201763092557463. png? www. myhack58. com)
Register info 1:
! [](/Article/UploadPic/2017-6/201763092557545. png? www. myhack58. com)
main() to the error between the called relationship 2: The
! [](/Article/UploadPic/2017-6/201763092557957. png? www. myhack58. com)
Register information 2: The
! [](/Article/UploadPic/2017-6/201763092557902. png? www. myhack58. com)
Register information 3: The

! [](/Article/UploadPic/2017-6/201763092557854. png? www. myhack58. com)
crash:

! [](/Article/UploadPic/2017-6/201763092557475. png? www. myhack58. com)
! [](/Article/UploadPic/2017-6/201763092557710. png? www. myhack58. com)
jp2_boxinfo_t *jp2_boxinfolookup(int type)traverse Format: Format
jasper the input Jasper ./ crash_in2/id_000062,sig_11,src_000901,op_ext_AO,pos_66-t jp2
Where red is the generated crash file, and-T represents the conversion into the image format jpg
0×01: the jasper. c
jasper. c functions 241 row
if (! (image = jas_image_decode(in, cmdopts->infmt,cmdopts->inopts)))
infmt is the fixed value of 4, and 4 represents the jp2 format; and
And inopts from how to get this function from the parameters of the analytic function, its value is 0
in represents the input file, it is represented by a function jas_stream_fopen ();
jas_image. c 424 lines jas_image_decode input file fmt format parameter options
jas_image_lookupfmtbyid(fmt), see the fmt exists by looking at his id.
The input file in decoding (*fmtinfo->ops. decode)(in,optstr)the function in which the definition of ?
The pointer function points to the jp2_dec. c 97 lines
dec = jp2_dec_create()
jp2_box_get in in jp2_cod. c 243 lines
box structure, the input file is converted to a box structure
box->ops content assigned the value of 0, the box->ops = &jp2_boxinfo_unk. ops;
typedef struct {
structjp2_boxops_s *ops;
structjp2_boxinfo_s info;
uint_fast32_ttype;
/ Thelength of the box including the (variable-length) header. /
uint_fast32_tlen;
/ Thelength of the box data. */
uint_fast32_tdatalen;
union {
jp2_jp_t jp;
jp2_ftyp_tftyp;
jp2_ihdr_t ihdr;
jp2_bpcc_tbpcc;
jp2_colr_tcolr;
jp2_pclr_tpclr;
jp2_cdef_tcdef;
jp2_cmap_tcmap;
} data;
} jp2_box_t
error:
if (box) {
jp2_box_destroy(box);call to function error
}
if (dec) {
jp2_dec_destroy(dec);
}
return 0;
}
void jp2_box_destroy(jp2_box_t *box) //jp2_cod. c 209lines

[1] [2] [3] next

JSON