Security Vulnerability - Action Required: Out-of-bounds Write vulnerability may in your project

[Crispy-fried-chicken]

Hi, we have detected that your project may be vulnerable to Out-of-bounds Write in the function of jpc_ppxstab_insert in the file of src/libjasper/jpc/jpc_dec.c . It shares similarities to a recent CVE disclosure CVE-2022-29776 in the https://github.com/ONLYOFFICE/core. The source vulnerability information is as follows:

Vulnerability Detail: CVE Identifier: CVE-2022-29776 Description: Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via the component DesktopEditor/common/File.cpp. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-29776 Patch: https://github.com/ONLYOFFICE/core/commit/88cf60a3ed4a2b40d71a1c2ced72fa3902a30967

Would you help to check if this bug is true? If it's true, I'd like to open a PR for that if necessary. Thank you for your effort and patience!

[jubalh]

Do you have a reproducer?

[mdadams]

@Crispy-fried-chicken: The Onlyoffice Document Server project needs to determine if the bug lies in JasPer or the Onlyoffice Document Server software. If I am understanding you correctly, you are only speculating that a bug might exist in JasPer, as it is also entirely possible that the bug is in the Onlyoffice Document Server software.

[mdadams]

@Crispy-fried-chicken Do you have a reproducer? It is unclear what bug you think JasPer might have. Unless you can provide further information, I will have to assume that there is no problem in JasPer and close this issue.

[mdadams]

@Crispy-fried-chicken Since no reproducer has been provided and it is unclear whether the issue mentioned is even in JasPer as opposed to being in other software using JasPer, I am closing this issue.