VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 29, 2020· Updated Aug 4, 2024

CVE-2020-15389

CVE-2020-15389

Description

OpenJPEG through 2.3.1 has a use-after-free when decompressing a mix of valid and invalid files in a directory.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenJPEG through 2.3.1 has a use-after-free when decompressing a mix of valid and invalid files in a directory.

Vulnerability

In OpenJPEG versions through 2.3.1, a use-after-free vulnerability exists in jp2/opj_decompress.c. When the decompressor is run on a directory containing both valid and invalid JPEG 2000 files, opj_image_destroy can be called twice on the same image, leading to a use-after-free condition. The issue occurs because the code does not properly reset the image pointer after an error, causing a second iteration of the file loop to free an already-freed image [1].

Exploitation

An attacker needs to provide a directory with at least one valid and one invalid JPEG 2000 file. The decompressor processes files sequentially; when it encounters the invalid file, it attempts to read the header and fails, triggering a call to opj_image_destroy. However, the image pointer is not cleared, and on the next iteration (for the valid file), the same pointer is used again, resulting in a use-after-free read of image->comps. This can also lead to a double-free if the destruction code path is entered again [1].

Impact

Successful exploitation allows an attacker to trigger a read-after-free or double-free, which can result in information disclosure or arbitrary code execution depending on memory layout and attacker control. The vulnerability is classified as a use-after-free with potential for escalation [1][2].

Mitigation

The issue is fixed in OpenJPEG version 2.4.0. Users should upgrade to this version or later. Gentoo recommends upgrading to >=media-libs/openjpeg-2.4.0:2. No workaround is known [2].

References
  1. > [Suggested description]> jp2/opj_decompress.c in OpenJPEG through 2.3.1 has - Pastebin.com
  2. Multiple vulnerabilities (GLSA 202101-29) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

65

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The image pointer is not set to NULL after the first opj_image_destroy call, causing a second call on the same freed pointer when a subsequent file fails header parsing."

Attack vector

An attacker must induce a victim to run the OpenJPEG decompressor on a directory containing at least one valid `.jp2` file and at least one invalid file (e.g., a `.jpm` file) [ref_id=1]. The attacker supplies the directory via the `-ImgDir` flag, e.g., `./opj_decompress -ImgDir Inputs/ -OutFor PGM` [ref_id=1]. On the first loop iteration, the valid file is decoded and its image is freed via `opj_image_destroy` at line 1773 [ref_id=1]. On the second iteration, the invalid file fails header reading at line 1480, causing `opj_image_destroy` to be called again on the same already-freed pointer, resulting in a use-after-free (read-after-free) and potentially a double-free [ref_id=1]. The precondition is that the directory contains more than one file, with at least one having a good header and at least one lacking a good header [ref_id=1].

Affected code

The vulnerability resides in `jp2/opj_decompress.c` and `src/lib/openjp2/image.c` of OpenJPEG through 2.3.1 [ref_id=1]. The core issue is in the decompressor's main loop at line 1395 of `opj_decompress.c`, where `opj_image_destroy(image)` is called at line 1773 after successfully processing an image, but then a second call to `opj_image_destroy(image)` can occur at line 1480 when a subsequent file in the directory fails header parsing [ref_id=1]. The use-after-free manifests in `image.c` at line 95 when `opj_image_destroy` reads `image->comps` from already-freed memory [ref_id=1].

What the fix does

No patch is included in the bundle. The advisory [ref_id=1] describes the root cause: `opj_image_destroy` is called twice on the same image pointer — once after successful decode (line 1773 of `opj_decompress.c`) and again when a subsequent file fails header parsing (line 1480). A proper fix would need to either set the `image` pointer to NULL after the first `opj_image_destroy` call so the second call is a no-op, or restructure the loop to avoid reusing the freed pointer across iterations. The vendor has acknowledged the vulnerability [ref_id=1].

Preconditions

  • inputThe victim must run the decompressor with the -ImgDir flag on a directory containing more than one file
  • inputAt least one file in the directory must have a valid header (e.g., a .jp2 file)
  • inputAt least one file in the directory must lack a valid header (e.g., a .jpm file)

Reproduction

Place a valid `.jp2` file and an invalid file (e.g., a `.jpm` file) in an `Inputs/` directory. Run: `./opj_decompress -ImgDir Inputs/ -OutFor PGM` [ref_id=1]. The decompressor will process the valid file first, freeing the image, then attempt the invalid file, triggering a second `opj_image_destroy` on the already-freed pointer [ref_id=1].

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.