Failed-Assertion-in jasper(version 3.0.6, commit 66632500)

[benehalo]

Crash Inputs

Here are the files that trigger the bug - jas_image.c_1010.zip

Bug Description

I apply debug mode (-g -O0) to check for errors and report the detected errors as follows.

jasper: /data/code/jasper/src/libjasper/base/jas_image.c:1010: uint_fast32_t inttobits(jas_seqent_t, unsigned int, _Bool): Assertion `v >= 0 || sgnd' failed.

How to Reproduce

The aforementioned bug can be stably reproduced in version 3.0.6 (commit id 6663250).

1. Download the jasper source code with the [official link](https://github.com/mdadams/jasper).
2. Using clang/clang++ (10.0.0-4ubuntu1), build jasper with debug mode.
   • -g -O0
3. Execute jasper with the provided input files.
   • eg: /data/program/jasper/test/bin/jasper --input <input-file-path> --output /tmp/test.bmp --output-format bmp

[jubalh]

You have 5 files in the zip file, each of them triggers the same response, yes?

[benehalo]

You have 5 files in the zip file, each of them triggers the same response, yes?

Yes, each of the input files triggers the same reponse.

[jubalh]

Thanks for confirming.

[AHMorinaga]

What is the range of Jasper versions that contain this vulnerability?

[jubalh]

You'll have to check that yourself unfortunately.
3.0.6 is vulnerable and 4.0.0 is the first version with the fix.