Created attachment 1109156 [details] crash pos We find a vulnerability in the way JasPer's jas_matrix_create() function parsed certain JPEG 2000 image files. jas_matrix_t *jas_matrix_create(int numrows, int numcols) { ....... if (matrix->maxrows_ > 0) { if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ * sizeof(jas_seqent_t *)))) { ................ matrix->maxrows_ > 0 ,but matrix->maxrows_ *sizeof(jas_seqent_t *) can cause Integer overflow. Reported by Qihoo 360 Codesafe Team
*** Bug 1296950 has been marked as a duplicate of this bug. ***
*** This bug has been marked as a duplicate of bug 461476 ***
Hi, You are right,I made a mistake,I omit the patch. And,I find another vulnerability about Jasper. I was successful in reproducing this issuel in the jasper-1.900.1-31.fc23.src. Please see: http://www.openwall.com/lists/oss-security/2016/01/13/2