A security issue was found in jasper up to version 2.0.22. It is possible that an image processed by jasper along with crafted rlvl input could set resolution levels above max, which could cause a heap buffer overflow in the loop near tccp->prcwidthexpns[rlvlno] = prcwidthexpn; in the cp_create() routine of /src/libjasper/jpc/jpc_enc.c. Because prcwidthexpn and prcheightexpn can also be controlled by data obtained from the crafted input, it leaves potential for exploitation surrounding arbitrary writes.
A security issue was found in jasper up to version 2.0.22. It is possible that an image processed by jasper along with crafted rlvl input could set resolution levels above max, which could cause a heap buffer overflow in the loop near tccp->prcwidthexpns[rlvlno] = prcwidthexpn; in the cp_create() routine of /src/libjasper/jpc/jpc_enc.c. Because prcwidthexpn and prcheightexpn can also be controlled by data obtained from the crafted input, it leaves potential for exploitation surrounding arbitrary writes.
https://github.com/jasper-software/jasper/issues/252 https://github.com/jasper-software/jasper/pull/253 https://github.com/jasper-software/jasper/commit/a1f26d21aa1484f811de7cd64d1565334a655449
Vulmon