CVE-2018-20847
Description
An improper computation of tile boundary coordinates in OpenJPEG up to 2.3.0 leads to an integer overflow, causing a heap-buffer-overflow and potentially remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An improper computation of tile boundary coordinates in OpenJPEG up to 2.3.0 leads to an integer overflow, causing a heap-buffer-overflow and potentially remote code execution.
Vulnerability
CVE-2018-20847 is an improper computation of tile boundary parameters (p_tx0, p_tx1, p_ty0, p_ty1) in the opj_get_encoding_parameters function within openjp2/pi.c of OpenJPEG through version 2.3.0. The use of signed integer arithmetic for the calculation of these tile coordinates can result in an integer overflow when processing a crafted JPEG2000 image. This overflow subsequently triggers a heap-buffer-overflow in opj_tcd_code_block_dec_allocate called from opj_tcd_init_decode_tile during tile decoding [1]. The issue was addressed by switching to unsigned integer arithmetic with saturation (e.g., opj_uint_max, opj_uint_min, opj_uint_adds) in the fix commits [2][3].
Exploitation
An attacker needs to provide a maliciously crafted JPEG2000 (.jp2 or .j2k) image to an application using the vulnerable OpenJPEG library. No special privileges or network access beyond delivering the file (e.g., via web upload, email attachment, or direct file read) are required. The decompression process will trigger the integer overflow when computing the tile boundaries, leading to an undersized allocation for tile data structures, followed by a heap buffer over-read or over-write when the decoder writes code-block data [1]. The ASAN report in the issue shows a READ of size 4 from a heap buffer, indicating a heap-buffer-overflow [1].
Impact
Successful exploitation can result in either information disclosure (heap memory read) or, depending on the memory layout, a crash or potential arbitrary code execution (write primitive). The vulnerability is triggered during the decoding of a crafted image, allowing an attacker to corrupt heap metadata or sensitive data. The CVSS v3.1 base score is 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impact with low attack complexity.
Mitigation
The vulnerability is fixed in OpenJPEG versions after 2.3.0. Commits [2] and [3] in the official GitHub repository implement the fix by replacing signed integer tile boundary calculations with unsigned saturated arithmetic. Users must update to a patched version (2.3.1 or later) or apply the specific patches to affected codebases. No workaround is available other than migration to a fixed version, as the vulnerable code path is fundamental to JPEG2000 decoding. The CVE is not listed on the CISA KEV as of this writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6- OpenJPEG/OpenJPEGdescription
- osv-coords4 versionspkg:rpm/almalinux/openjpeg2pkg:rpm/almalinux/openjpeg2-develpkg:rpm/almalinux/openjpeg2-devel-docspkg:rpm/almalinux/openjpeg2-tools
< 2.4.0-4.el8+ 3 more
- (no CPE)range: < 2.4.0-4.el8
- (no CPE)range: < 2.4.0-4.el8
- (no CPE)range: < 2.4.0-4.el8
- (no CPE)range: < 2.4.0-4.el8
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"An integer overflow occurs in the calculation of tile coordinates due to improper handling of arithmetic operations."
Attack vector
An attacker can trigger this vulnerability by providing a specially crafted JP2 file. The vulnerability is triggered during the decoding process when the `opj_get_encoding_parameters` function calculates tile coordinates. This calculation involves multiplication and addition that can lead to an integer overflow if the input values are not properly validated [ref_id=1].
Affected code
The vulnerability resides in the `opj_get_encoding_parameters` function, located in the `openjp2/pi.c` file. The issue arises from the computation of `p_tx0`, `p_tx1`, `p_ty0`, and `p_ty1` which can lead to an integer overflow. The fix is applied in `openjp2/pi.c` and related files as shown in the provided patches [ref_id=2, ref_id=3].
What the fix does
The patch modifies the `opj_get_encoding_parameters` function to use unsigned integer arithmetic for calculations involving tile coordinates and dimensions. Specifically, it replaces `opj_int_max` and `opj_int_min` with `opj_uint_max` and `opj_uint_min` respectively, and uses `opj_uint_adds` for addition to prevent overflow. This ensures that the tile coordinates are calculated correctly, even with large input values, thereby mitigating the integer overflow vulnerability [ref_id=2, ref_id=3].
Preconditions
- inputA specially crafted JP2 file.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- www.securityfocus.com/bid/108921mitrevdb-entryx_refsource_BID
- github.com/uclouvain/openjpeg/commit/5d00b719f4b93b1445e6fb4c766b9a9883c57949mitrex_refsource_MISC
- github.com/uclouvain/openjpeg/issues/431mitrex_refsource_MISC
- github.com/uclouvain/openjpeg/pull/1168/commits/c58df149900df862806d0e892859b41115875845mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/07/msg00010.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.