An issue has been found in JasPer 2.0.14. There is a memory leak in jas_malloc.c when called from jpc_unk_getparms in jpc_cs.c. References: https://github.com/mdadams/jasper/issues/188
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1649111] Created mingw-jasper tracking bugs for this issue: Affects: epel-7 [bug 1649113] Affects: fedora-all [bug 1649112]
The reproducer triggers assertion failure abort in jpc_dec_process_sot() known as CVE-2017-13745 (bug 1488958) that remains unfixed upstream. The reported leak is minor, and it does not make much sense to consider it as a security problem while the abort problem is not fixed. Not currently planning to address this issue in Red Hat products.