Bug 1396959 (CVE-2016-9387) - CVE-2016-9387 jasper: integer overflow in jpc_dec_process_siz()
Summary: CVE-2016-9387 jasper: integer overflow in jpc_dec_process_siz()
Alias: CVE-2016-9387
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1396986 1396987 1396988 1396989 1439171 1439172 1439173 1439174
Blocks: 1314477
TreeView+ depends on / blocked
Reported: 2016-11-21 09:43 UTC by Adam Mariš
Modified: 2019-09-29 14:00 UTC (History)
27 users (show)

Fixed In Version: jasper 1.900.13
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-05-09 21:40:41 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1208 0 normal SHIPPED_LIVE Important: jasper security update 2017-05-09 21:13:57 UTC

Description Adam Mariš 2016-11-21 09:43:05 UTC
An integer overflow in jpc_dec_process_siz was found that can be triggered by crafted image file when given as input to imginfo

Upstream patch:


CVE assignment:


Comment 1 Adam Mariš 2016-11-21 10:30:59 UTC
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1396987]
Affects: epel-7 [bug 1396989]

Comment 2 Adam Mariš 2016-11-21 10:31:19 UTC
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1396986]
Affects: epel-5 [bug 1396988]

Comment 3 Tomas Hoger 2017-03-02 22:06:19 UTC
This issue was originally reported as an assertion failure.  Upstream bug report is:


The fix for integer overflow problem in jpc_dec_process_siz() did not directly address the problem, but it did have a side effect of preventing the assertion failure with the original reproducer.

The original issue reporter was able to trigger the same assertion failure even after this fix using different reproducer.  That was reported upstream in:


This got a separate CVE-2016-9390 (see bug 1396965).

The integer overflow check added in d91198a was also incomplete - it ensured that the product of dec->numhtiles * dec->numvtiles can fit into size_t type, but later assigned the value to dec->numtiles having a type of int.  Assignment form size_t to int can truncate the value, allowing integer overflow to happen.  This problem was reported upstream in:


and fixed in:


As previously noted, this integer overflow fix was not a proper fix for the original reported issue.  However, it could be an issue of its own, as similar integer overflows prior to memory allocation often lead to heap-based buffer overflows later.  That's not the case here, as the allocated dec->tiles[] array is not accessed beyond the (mis-computed) dec->numtiles.

As the problem of integer overflow in jpc_dec_process_siz() does not seem to have any security impact, it's not currently planned to be addressed in jasper packages in Red Hat Enterprise Linux 6 and 7.

Comment 4 Tomas Hoger 2017-03-02 22:10:10 UTC
Original reporter's advisory:


Relevant info from the advisory:

Affected version:

imginfo: /tmp/portage/media-libs/jasper-1.900.12/work/jasper-1.900.12/src/libjasper/base/jas_seq.c:90: jas_matrix<= yend' failed.

Commit fix:

Fixed version:



Comment 6 Tomas Hoger 2017-03-31 20:34:31 UTC
Re-considering inclusion for easier future testing.

Comment 8 errata-xmlrpc 2017-05-09 17:18:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208

Note You need to log in before you can comment on or make changes to this bug.