There is a reachable assertion abort in the function jpc_dec_process_sot() in jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a denial of service attack. Product bug: https://bugzilla.redhat.com/show_bug.cgi?id=1485274
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1434464] Created mingw-jasper tracking bugs for this issue: Affects: epel-7 [bug 1434465] Affects: fedora-all [bug 1434467]
Reported upstream via: https://github.com/mdadams/jasper/issues/166 This issue remains unfixed in the current upstream version 2.0.14.
*** Bug 1610135 has been marked as a duplicate of this bug. ***
Upstream commit: https://github.com/jasper-software/jasper/commit/fcbabdaaba217124c92dc29472596146756b968e The issue was fixed upstream in jasper 2.0.17.