A flaw was found in JasPer 2.0.14. A memory leak in base/jas_malloc.c in libjasper.a when "--output-format jp2" is used. References: https://github.com/mdadams/jasper/issues/193
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1664873] Created mingw-jasper tracking bugs for this issue: Affects: epel-7 [bug 1664875] Affects: fedora-all [bug 1664874]
The main problem demonstrated by the reproducer in the upstream bug report is a duplicate of CVE-2017-13748 (see bug 1488961). Besides the tile data memory leak, the reproducer also triggers a minor memory leak in jpc_dec_decodepkt(), which calls jpc_bitstream_sopen(), which does memory allocation, but does not do matching jpc_bitstream_close() call to release the memory when error is encountered. The following comment in the upstream bug provides more details: https://github.com/mdadams/jasper/issues/193#issuecomment-624510298 Note that the CVE description is wrong - there's no problem in jas_malloc.c, and the problem is not limited to situations when converting to jp2 format, as it happens in the (jpc) decoder rather than jp2 encoder.
Upstream commit: https://github.com/jasper-software/jasper/commit/aa8516b28344aa1263ee538bb7366c4679a0e1a5 The issue was fixed upstream in jasper 2.0.17.