search

jasper-software / jasper

Official Repository for the JasPer Image Coding Toolkit
http://www.ece.uvic.ca/~mdadams/jasper
Other
223 stars 101 forks source link

jas_image: Check number of lutents #199

Closed jubalh closed 4 years ago

jubalh commented 5 years ago

The index v of lutents[v] will be negative if numlutents is smaller than 1. This causes the heap-based buffer overflow because the lutents[] starts at 0.

Regards CVE-2018-19541. Regards #182 bug#1 Fix by Markus Koschany apo@debian.org. From https://gist.github.com/apoleon/3e9d4e86c51d16c7e551a1cc538528b9

jubalh commented 4 years ago

This patch can cause segfaults in some cases. https://github.com/mdadams/jasper/pull/211 is the proper fix for this CVE.