There is a reachable assertion abort in the function jpc_dec_process_siz() in jpc/jpc_dec.c:1297 in JasPer 2.0.12 that will lead to a denial of service attack.
Product bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1485286
Created jasper tracking bugs for this issue:
Affects: fedora-all [bug 1434464]
Created mingw-jasper tracking bugs for this issue:
Affects: epel-7 [bug 1434465]
Affects: fedora-all [bug 1434467]
This issue, along with the related CVE-2017-13750 (bug 1488963) was now reported upstream via:
https://github.com/mdadams/jasper/issues/165
Note that the two assertions triggered in the jpc_dec_process_siz() function were only introduced in Jasper version 2.0.12 and hence these CVEs are not applicable to older versions.