VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 26, 2019· Updated Aug 5, 2024

CVE-2018-20846

CVE-2018-20846

Description

OpenJPEG through 2.3.0 has out-of-bounds read access in several pi_next_* functions in openmj2/pi.c, causing denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenJPEG through 2.3.0 has out-of-bounds read access in several pi_next_* functions in openmj2/pi.c, causing denial of service.

Vulnerability

OpenJPEG versions through 2.3.0 contain multiple out-of-bounds read vulnerabilities in the pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl functions in openmj2/pi.c. The out-of-bounds access occurs when calculating an index without bounds checking before accessing the pi->include array. The issue was introduced because the code did not validate that the computed index was within the allocated size of the pi->include array.

Exploitation

An attacker can trigger these vulnerabilities by crafting a malicious JPEG 2000 image file that causes the packet iterator to generate an index larger than the allocated pi->include array. No authentication is required; the attacker only needs to convince a user or system to process the specially crafted file with an application using the vulnerable OpenJPEG library. The user interaction is minimal (e.g., opening an image or viewing a web page that decodes the image).

Impact

Successful exploitation results in an out-of-bounds read, which typically causes a denial of service (application crash). Depending on the environment, it may also lead to information disclosure, though the primary reported impact is crash (denial of service). The attacker does not gain elevated privileges but can cause the processing application to terminate unexpectedly.

Mitigation

The fix was implemented in commit c277159 [1] and merged into the OpenJPEG repository. The fix adds bounds checking before accessing the pi->include array. Users should update to a version that includes this patch. There are no reported workarounds other than updating the library.

References
  1. Fix multiple potential vulnerabilities and bugs by YangY-Xiao · Pull Request #1168 · uclouvain/openjpeg

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

51

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Out-of-bounds reads occur in multiple functions within openmj2/pi.c when calculating an index."

Attack vector

Remote attackers can trigger an out-of-bounds access by providing specially crafted input that leads to an invalid index calculation within the `pi_next_lrcp`, `pi_next_rlcp`, `pi_next_rpcl`, `pi_next_pcrl`, and `pi_next_cprl` functions. This occurs when the calculated `index` exceeds the bounds of the `pi->include` array, specifically when `index >= pi->include_size` [ref_id=1].

Affected code

The vulnerability resides in the `pi_next_lrcp`, `pi_next_rlcp`, `pi_next_rpcl`, `pi_next_pcrl`, and `pi_next_cprl` functions located in the `openmj2/pi.c` file. The issue arises from the calculation of the `index` variable, which is used to access the `pi->include` array without proper bounds checking [ref_id=1].

What the fix does

The patch introduces a check within several `pi_next_*` functions to ensure that the calculated `index` does not exceed `pi->include_size`. If the index is out of bounds, an error message is emitted and the function returns `OPJ_FALSE`, preventing the out-of-bounds access and subsequent application crash [ref_id=1].

Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.