An issue was discovered in OpenJPEG 2.3.0. A heap-based buffer overflow was discovered in the function t2_encode_packet in lib/openmj2/t2.c. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service or possibly unspecified other impact. Upstream bug: https://github.com/uclouvain/openjpeg/issues/1127
Upstream issue: https://github.com/uclouvain/openjpeg/issues/992 Patch: https://github.com/uclouvain/openjpeg/commit/c535531f03369623b9b833ef41952c62257b507e Upstream reproducer: https://github.com/asarubbo/poc/blob/master/00322-openjpeg-heapoverflow-opj_t2_encode_packet
Analysis: This is the classic case in which the length of the array is not checked and out of bounds buffers is written. Though this is a variable on the heap, because data written OOB is first operated on, exploitation is very difficult or even not possible in this case, reducing the impact to only crash. Though in realistic scenarios (when ASAN is not used), it seems like it should overwrite adjacent variables and not crash.
Created mingw-openjpeg2 tracking bugs for this issue: Affects: fedora-all [bug 1626325] Created openjpeg tracking bugs for this issue: Affects: fedora-all [bug 1626322] Created openjpeg2 tracking bugs for this issue: Affects: epel-all [bug 1626323] Affects: fedora-all [bug 1626324]