VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 3, 2018· Updated Aug 5, 2024

CVE-2018-16376

CVE-2018-16376

Description

OpenJPEG 2.3.0 has a heap-based buffer overflow in t2_encode_packet due to missing length checks, leading to potential denial of service or other impact.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenJPEG 2.3.0 has a heap-based buffer overflow in t2_encode_packet due to missing length checks, leading to potential denial of service or other impact.

Vulnerability

A heap-based buffer overflow exists in OpenJPEG version 2.3.0 in the function t2_encode_packet located in lib/openmj2/t2.c. The code writes SOP (0xff91) and EPH (0xff92) markers into an output buffer without first verifying that sufficient space remains, leading to an out-of-bounds write when the buffer length is insufficient. This occurs when the coding style flags J2K_CP_CSTY_SOP or J2K_CP_CSTY_EPH are enabled [1].

Exploitation

An attacker can trigger the vulnerability by providing a crafted JPEG-2000 image that causes the encoder to enter a code path where the output buffer is too small to accommodate the marker segments. No special privileges or authentication are required; the attack can be delivered via a malicious file that is processed by an application using the vulnerable OpenJPEG library [1].

Impact

Successful exploitation results in a heap-based buffer overflow, which can cause a denial of service (application crash) and potentially lead to arbitrary code execution or other unspecified impacts. The write occurs beyond the allocated heap buffer, corrupting adjacent memory [1].

Mitigation

The issue was reported and fixed in OpenJPEG after version 2.3.0. The patch introduces length checks before writing the SOP and EPH markers, returning OPJ_FALSE if insufficient space remains [1]. Users should upgrade to a patched release (e.g., 2.3.1 or later) to remediate the vulnerability.

References
  1. Potential heap-based buffer overflow in function t2_encode_packet in src/lib/openmj2/t2.c

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

59

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing length checks in the t2_encode_packet function allow for heap-based buffer overflows."

Attack vector

An attacker can trigger this vulnerability by providing a crafted image file to the OpenJPEG library. Specifically, the vulnerability is triggered within the `t2_encode_packet` function when processing SOP (Start of Packet) or EPH (End of Packet) markers without sufficient checks on the remaining buffer length. This can lead to an out-of-bounds write, potentially resulting in remote denial of service or other unspecified impacts [ref_id=1].

Affected code

The vulnerability resides in the `t2_encode_packet` function located in the file `lib/openmj2/t2.c`. Specifically, the code paths related to handling the `J2K_CP_CSTY_SOP` and `J2K_CP_CSTY_EPH` markers are affected due to missing length validations [ref_id=1].

What the fix does

The patch introduces checks for the remaining buffer length before writing SOP (6 bytes) and EPH (2 bytes) markers. If the buffer is too small to accommodate these markers, the function now returns an error, preventing the out-of-bounds write. This addresses the vulnerability by ensuring that data is only written when there is sufficient space in the output buffer [ref_id=1].

Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.