An issue was discovered in OpenJPEG 2.3.0. Missing checks for header_info.height and header_info.width in the function pnmtoimage in bin/jpwl/convert.c can lead to a heap-based buffer overflow.
Se ha descubierto un problema en OpenJPEG 2.3.0. La falta de comprobaciones para header_info.height y header_info.width en la función pnmtoimage en bin/jpwl/convert.c puede conducir a un desbordamiento de búfer basado en memoria dinámica (heap).
An update that fixes 13 vulnerabilities is now available. This update for openjpeg2 fixes the following issues. Fixed integer overflow vulnerability in theopj_t1_encode_cblks function. Fixed integer overflow caused by an out-of-bounds leftshift in the opj_j2k_setup_encoder function. Fixed excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Fixed division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl,and pi_next_rpcl in lib/openjp3d/pi.c. Fixed missing checks for header_info.height and header_info.width in the function pnmtoimage in bin/jpwl/convert.c. Fixed heap-based buffer overflow function t2_encode_packet in lib/openmj2/t2.c. Fixed division-by-zero in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in openmj2/pi.ci. Fixed heap-based buffer overflow in opj_t1_clbl_decode_processor. Fixed heap-based buffer overflow in opj_t1_clbl_decode_processor in openjp2/t1.c. Fixed use-after-free if t a mix of valid and invalid files in a directory operated on by the decompressor. Fixed heap buffer over-write in opj_tcd_dc_level_shift_encode. Fixed integer overflow that allows remote attackers to crash the application. Fixed segmentation fault in opj2_decompress due to uninitialized pointer.
