Red Hat Bugzilla – Bug 841030
openjpeg: segfault on broken images
Last modified: 2015-08-19 05:17:06 EDT
It was reported , that OpenJPEG suffered from a bug where, in the case of corrupt files, tiles were failing to be properly allocated, which left the code attempting to work with non-existent tiles. Due to the lack of error checking, the code would later access the contents of the uninitialized memory and would cause a segfault.
A patch has been posted to the ghostscript git, for an embedded copy of OpenJPEG, to correct this flaw. 
The bug report does not indicate whether or not arbitrary code execution via a crafted PDF (in the context of upstream ghostscript, or in Poppler since we use libopenjpeg there) or jpeg file is possible. Since I can't tell, I've filed the bug -- it could very well be nothing (a crash of the viewer linked to openjpeg), but I didn't want to rule it out before having it looked at.
Based on the reproducers and the analysis of the patches, it seems openjpeg crashes due to out-of-bounds read. There is no scope of arbitrary code execution and this can only lead to denial of service i.e. application crash.
We do not consider this as a security issue.