A vulnerability was found in OpenJPEG before 2.3.1 has a heap buffer overflow in color_apply_icc_profile in bin/common/color.c. Reference: https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c981ff05862e8ccf1381ed58ea
Created mingw-openjpeg2 tracking bugs for this issue: Affects: fedora-all [bug 1755772] Created openjpeg tracking bugs for this issue: Affects: fedora-all [bug 1755770] Created openjpeg2 tracking bugs for this issue: Affects: epel-all [bug 1755773] Affects: fedora-all [bug 1755771]
openjpeg2 in rhel-7 and rhel-8 does not include function color_apply_icc_profile() because it is built only if `defined(OPJ_HAVE_LIBLCMS2) || defined(OPJ_HAVE_LIBLCMS1)`, but even if the lib lcms2-devel is in the BuildRequires of the spec file, the library is not found by the cmake build system, because the thirdparty directory is removed (the code that defines OPJ_HAVE_LIBLCMS is there).
Function color_apply_icc_profile() does not properly check whether the width/height values of the image components are all the same for the first three components, but it makes this assumption for the rest of the code. If the second or the third components have a width/height less than the first, an heap-based buffer overflow is possible while writing the transformed data back into the components' data.
Mitigation: If the application accepts untrusted images there is no known mitigation apart from applying the patch.