Bug 1626095 (CVE-2018-16376) - CVE-2018-16376 openjpeg: Heap-based buffer overflow in function t2_encode_packet in src/lib/openmj2/t2.c
Summary: CVE-2018-16376 openjpeg: Heap-based buffer overflow in function t2_encode_pac...
Alias: CVE-2018-16376
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1626322 1626323 1626324 1626325 1626326
Blocks: 1626097
TreeView+ depends on / blocked
Reported: 2018-09-06 14:48 UTC by Pedro Sampaio
Modified: 2019-09-29 14:58 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-10 10:37:35 UTC

Attachments (Terms of Use)

Description Pedro Sampaio 2018-09-06 14:48:09 UTC
An issue was discovered in OpenJPEG 2.3.0. A heap-based buffer overflow was discovered in the function t2_encode_packet in lib/openmj2/t2.c. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service or possibly unspecified other impact.

Upstream bug:


Comment 2 Huzaifa S. Sidhpurwala 2018-09-07 04:11:29 UTC

This is the classic case in which the length of the array is not checked and out of bounds buffers is written. Though this is a variable on the heap, because data written OOB is first operated on, exploitation is very difficult or even not possible in this case, reducing the impact to only crash. Though in realistic scenarios (when ASAN is not used), it seems like it should overwrite adjacent variables and not crash.

Comment 3 Huzaifa S. Sidhpurwala 2018-09-07 04:13:14 UTC
Created mingw-openjpeg2 tracking bugs for this issue:

Affects: fedora-all [bug 1626325]

Created openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1626322]

Created openjpeg2 tracking bugs for this issue:

Affects: epel-all [bug 1626323]
Affects: fedora-all [bug 1626324]

Note You need to log in before you can comment on or make changes to this bug.