oCERT-2015-001 JasPer input sanitization errors
The JasPer project is an open source implementation for the JPEG-2000 codec.
The library is affected by an off-by-one error in a buffer boundary check in jpc_dec_process_sot(), leading to a heap based buffer overflow, as well as multiple unrestricted stack memory use issues in jpc_qmfb.c, leading to stack overflow.
A specially crafted jp2 file can be used to trigger the vulnerabilities.
JasPer <= 1.900.1
Credit: vulnerability report received from <[email protected]>.
2015-01-06: vulnerability report received
2015-01-06: contacted affected vendors, assigned CVEs
2015-01-21: advisory release