Bug 1388864 (CVE-2016-8881) - CVE-2016-8881 jasper: insufficient memory allocation in jpc_crg_getparms() (rejected duplicate of CVE-2011-4517)
Summary: CVE-2016-8881 jasper: insufficient memory allocation in jpc_crg_getparms() (r...
Status: CLOSED DUPLICATE of bug 747726
Alias: CVE-2016-8881
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1388873 1388874 1388875 1388876
Blocks: 1314477
TreeView+ depends on / blocked
Reported: 2016-10-26 10:33 UTC by Adam Mariš
Modified: 2021-02-17 03:07 UTC (History)
27 users (show)

Fixed In Version: jasper 1.900.5
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-12-15 13:03:05 UTC

Attachments (Terms of Use)

Description Adam Mariš 2016-10-26 10:33:45 UTC
Heap buffer overflow was found in jpc_getuint16() triggered by specially crafted input file.

Upstream bug:


CVE assignment:


Comment 1 Adam Mariš 2016-10-26 10:51:23 UTC
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1388874]
Affects: epel-7 [bug 1388876]

Comment 2 Adam Mariš 2016-10-26 10:51:41 UTC
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1388873]
Affects: epel-5 [bug 1388875]

Comment 3 Tomas Hoger 2016-12-15 13:03:05 UTC
This is duplicate of CVE-2011-4517 (bug 747726).  The problem was in the jpc_crg_getparms() function, which incorrectly allocated memory for cstate->numcomps.  When allocating memory, function assume that each item in the array has sizeof(uint_fast16_t).  However, it later handled each item as being of type jpc_crgcomp_t, a structure containing two uint_fast16_t type variables.  Therefore, it allocated approximately half of the required memory, leading to heap-based buffer overflow later.

In Red Hat products, this issue was already corrected in previous updates for CVE-2011-4517.

Problem was addressed upstream in version 1.900.5 via this commit:


Comment 5 Andrej Nemec 2017-01-18 09:39:51 UTC
This CVE was rejected by Mitre:

Common Vulnerabilities and Exposures assigned an identifier CVE-2016-8881 to
the following vulnerability:

Name: CVE-2016-8881
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8881
Assigned: 20161022

CVE-2011-4517. Reason: This candidate is a duplicate of CVE-2011-4517.
Notes: All CVE users should reference CVE-2011-4517 instead of this
candidate. All references and descriptions in this candidate have been
removed to prevent accidental usage.

Comment 6 Doran Moppert 2020-06-17 08:39:38 UTC

This flaw was found to be a duplicate of CVE-2011-4517. Please see https://access.redhat.com/security/cve/CVE-2011-4517 for information about affected products and security errata.

Comment 7 Doran Moppert 2020-06-17 08:40:02 UTC

*** This bug has been marked as a duplicate of bug 747726 ***

Note You need to log in before you can comment on or make changes to this bug.