An issue has been found in JasPer 2.0.14. There is a memory leak in jas_malloc.c when called from jpc_unk_getparms in jpc_cs.c.
References:
https://github.com/mdadams/jasper/issues/188
Created jasper tracking bugs for this issue:
Affects: fedora-all [bug 1649111]
Created mingw-jasper tracking bugs for this issue:
Affects: epel-7 [bug 1649113]
Affects: fedora-all [bug 1649112]
The reproducer triggers assertion failure abort in jpc_dec_process_sot() known as CVE-2017-13745 (bug 1488958) that remains unfixed upstream. The reported leak is minor, and it does not make much sense to consider it as a security problem while the abort problem is not fixed. Not currently planning to address this issue in Red Hat products.