There is a reachable assertion abort in the function jpc_pi_nextrpcl() in jpc/jpc_t2cod.c in JasPer 2.0.12 that will lead to a denial of service attack.
Created jasper tracking bugs for this issue:
Affects: fedora-all [bug 1434464]
Created mingw-jasper tracking bugs for this issue:
Affects: epel-7 [bug 1434465]
Affects: fedora-all [bug 1434467]
Reported upstream via:
Provided reproducer does not trigger abort in jasper packages as shipped with Red Hat Enterprise Linux 6 and 7. The first upstream version where abort is triggered is 1.900.23. This issue also remains unfixed in the current upstream version 2.0.14.