jp2_decode in jp2/jp2_dec.c in libjasper in JasPer 2.0.24 has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components.
Created jasper tracking bugs for this issue:
Affects: fedora-all [bug 1921328]
Created mingw-jasper tracking bugs for this issue:
Affects: fedora-all [bug 1921326]
There is no upstream version with the fix yet, but it should be included in 2.0.25.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2021:4235 https://access.redhat.com/errata/RHSA-2021:4235
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):