Seth Arnold reported [1] a number of integer overflows causing heap-based buffer overflows in openjpeg: Many instances of malloc() and opj_malloc() using integers multiplied together or added together without any overflow checks, e.g.: * http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/jp3d.c#1825 * http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/jp3d.c#487 He notes this is not an exhaustive list, but serves as examples. Upstream has, to this point, not responded so there are currently no patches. [1] http://www.openwall.com/lists/oss-security/2013/09/12/2
Acknowledgements: Red Hat would like to thank Seth Arnold for reporting this issue.
This flaw exists in the JP3D image handling code of openjpeg. [Part 10 of JPEG20003 (JP3D), which is concerned with volumetric imaging, aims to provide the same functionality and efficiency for 3D data sets as for its 2D counterparts.] The above code is not present in the version of openjpeg shipped with Red Hat Enterprise Linux 6. Statement: Not vulnerable. This issue does not affect the version of openjpeg as shipped with Red Hat Enterprise Linux 6.
This issue does not affect the version of openjpeg as shipped with Fedora 19 and Fedora 20.