jasper: incorrect component number check in COC, RGN and QCC marker segment decoders (CVE-2014-9029)
Multiple off-by-one errors in the (1) jpc_dec_cp_setfromcox and (2) jpc_dec_cp_setfromrgn functions in jpc/jpc_dec.c in JasPer 1.900.1 and earlier allow remote attackers to execute arbitrary code via a crafted jp2 file, which triggers a heap-based buffer overflow.
References:
http://seclists.org/oss-sec/2014/q4/898
CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2014-9029
PATCH: https://bugzilla.redhat.com/attachment.cgi?id=961994
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9029
(from redmine: issue id 3779, created on 2015-01-27, closed on 2015-09-21)
- Relations:
- child #3780 (closed)
- child #3781 (closed)
- child #3782 (closed)
- child #3783 (closed)
- Changesets:
- Revision a3c611fa by Natanael Copa on 2015-01-29T13:51:17Z:
main/jasper: security fix for CVE-2014-9029
ref #3779
- Revision f6506740 by Natanael Copa on 2015-01-30T10:13:29Z:
main/jasper: security fix for CVE-2014-9029
ref #3779
fixes #3818
(cherry picked from commit a3c611fae92fca14cdae49707d4c798def7df413)
- Revision d7c2a3a2 by Natanael Copa on 2015-09-21T08:45:30Z:
main/jasper: security fix for CVE-2014-9029
ref #3779
fixes #3782
- Revision a3c4e58a by Natanael Copa on 2015-09-21T09:24:58Z:
main/jasper: security fix for CVE-2014-9029
ref #3779
fixes #3781
(cherry picked from commit a3c611fae92fca14cdae49707d4c798def7df413)