There is a reachable assertion abort in the function calcstepsizes() in jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a denial of service attack. Product bug: https://bugzilla.redhat.com/show_bug.cgi?id=1485283
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1434464] Created mingw-jasper tracking bugs for this issue: Affects: epel-7 [bug 1434465] Affects: fedora-all [bug 1434467]
This CVE is for the same reachable assertion as CVE-2016-9399 (bug 1396981). Upstream bug report is: https://github.com/mdadams/jasper/issues/83 The issue remains unfixed in the current upstream version 2.0.14.
Upstream commit: https://github.com/jasper-software/jasper/commit/84d00fb29a22e360c2ff91bdc2cd81c288826bfc The issue was fixed upstream in jasper 2.0.17.
Closing as duplicate of CVE-2016-9399 as indicated by comment 2 above. *** This bug has been marked as a duplicate of bug 1396981 ***