libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file. An attacker can use this flaw to crash the application. Upstream issue: https://github.com/mozilla/mozjpeg/issues/268 Proposed patch: https://github.com/libjpeg-turbo/libjpeg-turbo/pull/182
Created libjpeg-turbo tracking bugs for this issue: Affects: fedora-all [bug 1475744] Created mingw-libjpeg-turbo tracking bugs for this issue: Affects: epel-7 [bug 1475746] Affects: fedora-all [bug 1475745]