There is a reachable assertion abort in the function jpc_floorlog2() in jpc/jpc_math.c in JasPer 2.0.12 that will lead to a denial of service attack. Product bug: https://bugzilla.redhat.com/show_bug.cgi?id=1485282
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1434464] Created mingw-jasper tracking bugs for this issue: Affects: epel-7 [bug 1434465] Affects: fedora-all [bug 1434467]
This CVE is for the same reachable assertion as CVE-2016-9398 (bug 1396980). Upstream bug report is: https://github.com/mdadams/jasper/issues/71 The issue remains unfixed in the current upstream version 2.0.14.
Upstream commit: https://github.com/jasper-software/jasper/commit/c6f9fb6ec7fc97a5c4213f9077faf8622685d160 The issue was fixed upstream in jasper 2.0.17.
This is a duplicate of CVE-2016-9398. *** This bug has been marked as a duplicate of bug 1396980 ***