CVE-2019-12973
Description
OpenJPEG 2.3.1's opj_t1_encode_cblks function has excessive iteration, enabling denial of service via crafted BMP file, similar to CVE-2018-6616.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenJPEG 2.3.1's opj_t1_encode_cblks function has excessive iteration, enabling denial of service via crafted BMP file, similar to CVE-2018-6616.
Vulnerability
In OpenJPEG 2.3.1, the opj_t1_encode_cblks function in openjp2/t1.c performs excessive iteration when processing crafted BMP files. This flaw arises from insufficient bounds checking, allowing an attacker to trigger infinite loops or resource exhaustion. The issue is analogous to CVE-2018-6616 and affects versions prior to the commit that added dimension validation in BMP reading.
Exploitation
An attacker needs only the ability to supply a specially crafted BMP file to an application using OpenJPEG. No authentication, network access, or user interaction is required beyond opening the file. The attack vector is local file input, and the vulnerability is triggered during BMP decoding within bmp_read_rle8_data or similar routines, where missing checks on written vs. expected dimensions cause unbounded processing.
Impact
Denial of service (DoS) is the primary impact. The excessive iteration can cause CPU exhaustion, memory starvation, or application hang. No confidentiality, integrity, or privilege escalation is implied; the attacker merely disrupts availability via resource consumption.
Mitigation
A fix was committed in [1] as 8ee335227bbcaf1614124046aa25e53d67b11ec3, which adds validation for image dimensions early in BMP reading. Users should upgrade to OpenJPEG 2.4.0 or later. Gentoo issued GLSA 202101-29 [2] advising upgrade to >=media-libs/openjpeg-2.4.0. No workaround is available for unpatched versions.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
34- OpenJPEG/OpenJPEGdescription
- osv-coords32 versionspkg:rpm/almalinux/openjpeg2pkg:rpm/almalinux/openjpeg2-develpkg:rpm/almalinux/openjpeg2-devel-docspkg:rpm/almalinux/openjpeg2-toolspkg:rpm/opensuse/ghostscript&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ghostscript&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/ghostscript&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ghostscript-mini&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ghostscript-mini&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/ghostscript&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/ghostscript&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/ghostscript&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/ghostscript&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/ghostscript&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/ghostscript&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208
< 2.4.0-4.el8+ 31 more
- (no CPE)range: < 2.4.0-4.el8
- (no CPE)range: < 2.4.0-4.el8
- (no CPE)range: < 2.4.0-4.el8
- (no CPE)range: < 2.4.0-4.el8
- (no CPE)range: < 9.27-lp150.2.23.1
- (no CPE)range: < 9.27-lp151.3.6.1
- (no CPE)range: < 9.54.0-2.2
- (no CPE)range: < 9.27-lp150.2.23.1
- (no CPE)range: < 9.27-lp151.3.6.1
- (no CPE)range: < 9.27-23.28.1
- (no CPE)range: < 9.27-23.28.1
- (no CPE)range: < 9.27-23.28.1
- (no CPE)range: < 9.27-23.28.1
- (no CPE)range: < 9.27-3.21.1
- (no CPE)range: < 9.27-3.21.1
- (no CPE)range: < 9.27-23.28.1
- (no CPE)range: < 9.27-23.28.1
- (no CPE)range: < 9.27-23.28.1
- (no CPE)range: < 9.27-23.28.1
- (no CPE)range: < 9.27-23.28.1
- (no CPE)range: < 9.27-23.28.1
- (no CPE)range: < 9.27-23.28.1
- (no CPE)range: < 9.27-23.28.1
- (no CPE)range: < 9.27-23.28.1
- (no CPE)range: < 9.27-23.28.1
- (no CPE)range: < 9.27-23.28.1
- (no CPE)range: < 9.27-23.28.1
- (no CPE)range: < 9.27-23.28.1
- (no CPE)range: < 9.27-23.28.1
- (no CPE)range: < 9.27-23.28.1
- (no CPE)range: < 9.27-23.28.1
- (no CPE)range: < 9.27-23.28.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to validate that the actual amount of data read from a BMP file matches the dimensions specified in the file header."
Attack vector
An attacker can provide a specially crafted BMP file with mismatched dimensions to trigger excessive iteration within the image processing logic. This leads to a denial of service condition when the application attempts to process the malformed data. The vulnerability is triggered during the parsing of RLE8 encoded BMP data [ref_id=1].
Affected code
The vulnerability is located in the `bmp_read_rle8_data` function within the BMP processing logic. The issue involves the handling of pixel data iteration relative to the image dimensions defined in the file header [ref_id=1].
What the fix does
The patch introduces a tracking variable to count the number of pixels written during the RLE8 decoding process [ref_id=1]. After the decoding loop completes, the code compares the total number of pixels written against the expected value derived from the image's width and height. If these values do not match, the function returns an error, preventing the application from proceeding with invalid or inconsistent image data [ref_id=1].
Preconditions
- inputThe attacker must provide a crafted BMP file with inconsistent dimension metadata.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.htmlmitrevendor-advisoryx_refsource_SUSE
- security.gentoo.org/glsa/202101-29mitrevendor-advisoryx_refsource_GENTOO
- www.securityfocus.com/bid/108900mitrevdb-entryx_refsource_BID
- github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3mitrex_refsource_MISC
- github.com/uclouvain/openjpeg/pull/1185/commits/cbe7384016083eac16078b359acd7a842253d503mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2020/07/msg00008.htmlmitremailing-listx_refsource_MLIST
- www.oracle.com//security-alerts/cpujul2021.htmlmitrex_refsource_MISC
- www.oracle.com/security-alerts/cpujul2020.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.