Double-free vulnerability was found in opj_j2k_copy_default_tcp_and_create_tcd function in j2k.c in OpenJPEG before r3002, as used in PDFium in Google Chrome before 45.0.2454.85, allowing remote attacker to execute arbitrary code or cause a denial of service (heap memory corruption) by triggering a memory-allocation failure. The opj_j2k_copy_default_tcp_and_create_tcp() function memcpy's a top-level struct and then replaces pointers to memory owned by the original struct with new blocks of memory. Unfortunately, an early return can leave the copy with pointers to memory it doesn't own, which causes problems when cleaning up the partially-initialized struct. Upstream bug: https://code.google.com/p/openjpeg/issues/detail?id=492 Upstream patch: https://github.com/uclouvain/openjpeg/commit/0fa5a17c98c4b8f9ee2286f4f0a50cf52a5fccb0
Created openjpeg tracking bugs for this issue: Affects: fedora-all [bug 1267987]
Created mingw-openjpeg tracking bugs for this issue: Affects: fedora-all [bug 1267988]
Created openjpeg2 tracking bugs for this issue: Affects: fedora-all [bug 1267989]
Please Note: This seems to be valid for openjpeg2 only. The code has been redesigned completely and the upstream patch only applies to the openjpeg2 code. There's no such function call in openjpeg 1.5.1. (As per bug #1267987). Since Red Hat Enterprise Linux does not ship openjpeg2, it is not affected. Statement: Not vulnerable. This issue did not affect the versions of openjpeg as shipped with Red Hat Enterprise Linux 6 and 7.