CVE-2018-16375

Vulnerability

A heap-based buffer overflow exists in OpenJPEG version 2.3.0 in the pnmtoimage function within bin/jpwl/convert.c. The code reads a PNM header via read_pnm_header and stores the dimensions in header_info.height and header_info.width, but fails to validate that these values do not result in an integer overflow when computing the buffer size. An attacker can craft a PNM file with excessively large height and width values, causing a multiplication overflow that leads to an undersized heap allocation and subsequent buffer overflow.

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted PNM image file as input to the pnmtoimage function. The attacker needs no special privileges beyond the ability to supply the file to an application using OpenJPEG (e.g., via file upload or direct processing). No authentication is required. The lack of validation for header_info.height and header_info.width allows the attacker to trigger the integer overflow and subsequent heap corruption.

Impact

Successful exploitation leads to a heap-based buffer overflow, which can corrupt adjacent heap memory. This can result in a denial of service (application crash) or potentially arbitrary code execution, depending on the heap layout and the attacker's ability to control the overflow content. The impact is high due to the possibility of remote code execution in systems that process untrusted PNM files using the vulnerable library.

Mitigation

The official fix is to add a check that verifies the product of header_info.height and header_info.width does not exceed INT_MAX (as proposed in the referenced issue [1]). Users should upgrade to OpenJPEG version 2.3.1 or later, which includes this check. There is no known workaround for earlier versions; users should avoid processing untrusted PNM files with vulnerable versions. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.