Bug 1388863 (CVE-2016-8880) - CVE-2016-8880 jasper: heap buffer overflow in jpc_dec_cp_setfromcox() (rejected duplicate of CVE-2011-4516)
Summary: CVE-2016-8880 jasper: heap buffer overflow in jpc_dec_cp_setfromcox() (reject...
Status: CLOSED DUPLICATE of bug 747726
Alias: CVE-2016-8880
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1388873 1388874 1388875 1388876
Blocks: 1314477
TreeView+ depends on / blocked
Reported: 2016-10-26 10:29 UTC by Adam Mariš
Modified: 2021-02-17 03:07 UTC (History)
27 users (show)

Fixed In Version: jasper 1.900.5
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-12-14 14:38:14 UTC

Attachments (Terms of Use)

Description Adam Mariš 2016-10-26 10:29:36 UTC
Heap-based buffer overflow was found in jpc_dec_cp_setfromcox() triggered by malformed jpeg2000 file.

Upstream bug:


CVE assignment:


Comment 1 Adam Mariš 2016-10-26 10:51:58 UTC
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1388874]
Affects: epel-7 [bug 1388876]

Comment 2 Adam Mariš 2016-10-26 10:52:16 UTC
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1388873]
Affects: epel-5 [bug 1388875]

Comment 3 Tomas Hoger 2016-12-14 14:38:14 UTC
This really is a duplicate of CVE-2011-4516 (bug 747726), with slightly different symptoms.  The problem is missing check of the maximum value for the number of resolution levels (numrlvls) in the jpc_cox_getcompparms() function.

This could lead to out-of-bounds write directly in the jpc_cox_getcompparms() function as originally described for CVE-2011-4516 - when writing to rlvls[] array inside jpc_coxcp_t type structure compparms.

In case of the CVE-2016-8880 reproducer, out-of-bounds write in jpc_cox_getcompparms() was avoided, and a different out-of-bounds reads and writes were triggered in jpc_dec_cp_setfromcox() - reading from the mentioned rlvls[] array and writing to prcwidthexpns[] and prcheightexpns[] arrays inside of the ccp structure of type jpc_dec_ccp_t.

In Red Hat products, this issue was already corrected in previous updates for CVE-2011-4516.

Problem was addressed upstream in version 1.900.5 via this commit:


Comment 5 Andrej Nemec 2017-01-18 09:37:53 UTC
This CVE was rejected by Mitre:

Common Vulnerabilities and Exposures assigned an identifier CVE-2016-8880 to
the following vulnerability:

Name: CVE-2016-8880
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8880
Assigned: 20161022

CVE-2011-4516. Reason: This candidate is a duplicate of CVE-2011-4516.
Notes: All CVE users should reference CVE-2011-4516 instead of this
candidate. All references and descriptions in this candidate have been
removed to prevent accidental usage.

Comment 6 Doran Moppert 2020-06-17 08:30:51 UTC

*** This bug has been marked as a duplicate of bug 747726 ***

Comment 7 Doran Moppert 2020-06-17 08:38:20 UTC

This flaw was found to be a duplicate of CVE-2011-4516. Please see https://access.redhat.com/security/cve/CVE-2011-4516 for information about affected products and security errata.

Note You need to log in before you can comment on or make changes to this bug.