CVE-2020-12268

Vulnerability

A heap-based buffer overflow exists in the function jbig2_image_compose in jbig2_image.c of Artifex jbig2dec versions before 0.18. The issue occurs when composing a source image onto a destination image at an offset (x, y); missing integer overflow checks allow crafted input values to bypass size validation, resulting in an undersized buffer allocation and subsequent out-of-bounds write on the heap.

Exploitation

An attacker with the ability to supply a malicious JBIG2-encoded image (e.g., via a PDF or standalone image file) can exploit this vulnerability without authentication or user interaction beyond opening the crafted file. The input must specify extreme x and y offset values such that the arithmetic overflow of width and height calculations goes undetected. No special network position or privileges are required; the malicious file can be delivered via email, web download, or any other vector that leads to processing by a vulnerable jbig2dec instance.

Impact

Successful exploitation leads to a heap buffer overflow, likely corrupting adjacent memory. This can result in denial of service, or potentially arbitrary code execution in the context of the application using jbig2dec. The impact depends on the heap layout and the ability of the attacker to control the overflow data; at minimum, affected applications may crash. The vulnerability affects all uses of jbig2dec through image parsing in Ghostscript, PDF viewers, and other tools that rely on this library.

Mitigation

The vulnerability is fixed in jbig2dec version 0.18. The fix, introduced in commit 0726320 [1][2], adds a check to validate that src->width and src->height do not overflow when combined with the offset values. Users should update to jbig2dec 0.18 or later; if immediate update is not possible, ensure that only trusted JBIG2 data is processed. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date.