An issue was discovered in OpenJPEG 2.3.0. A heap-based buffer overflow was discovered in the function t2_encode_packet in lib/openmj2/t2.c. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service or possibly unspecified other impact.
Upstream issue: https://github.com/uclouvain/openjpeg/issues/992
Upstream reproducer: https://github.com/asarubbo/poc/blob/master/00322-openjpeg-heapoverflow-opj_t2_encode_packet
This is the classic case in which the length of the array is not checked and out of bounds buffers is written. Though this is a variable on the heap, because data written OOB is first operated on, exploitation is very difficult or even not possible in this case, reducing the impact to only crash. Though in realistic scenarios (when ASAN is not used), it seems like it should overwrite adjacent variables and not crash.
Created mingw-openjpeg2 tracking bugs for this issue:
Affects: fedora-all [bug 1626325]
Created openjpeg tracking bugs for this issue:
Affects: fedora-all [bug 1626322]
Created openjpeg2 tracking bugs for this issue:
Affects: epel-all [bug 1626323]
Affects: fedora-all [bug 1626324]