Miggo Logo

CVE-2018-16376: An issue was discovered in OpenJPEG 2.3.0. A heap-based buffer overflow was discovered in the...

8.8

CVSS Score
3.0

Basic Information

EPSS Score
0.67516%
Published
5/14/2022
Updated
2/2/2023
KEV Status
No
Technology
-

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description and the linked GitHub issue (#1127) directly point to the t2_encode_packet function in lib/openmj2/t2.c (or src/lib/openmj2/t2.c). The issue details the exact locations within the function where buffer length checks were missing, leading to potential out-of-bounds writes. The proposed patch in the issue clearly shows the addition of these missing checks. Although direct commit information could not be fetched, the evidence from the issue is strong and specific. The function opj_t2_encode_packet is also mentioned in the error messages within the proposed patch, indicating it's the public-facing or higher-level function that calls the vulnerable code, or is the same function (OpenJPEG uses opj_ prefix for its public API). Given the context, t2_encode_packet is the core vulnerable routine, and opj_t2_encode_packet would likely be seen in a higher-level stack trace if the error is propagated or if it's an alias/wrapper for t2_encode_packet itself within the library's API structure. Since the vulnerability is in t2_encode_packet, that's the primary vulnerable function. The error message opj_event_msg(p_manager, EVT_ERROR, \"opj_t2_encode_packet(): only %u bytes remaining in \"... confirms opj_t2_encode_packet is the function name as it would appear in logs or error reports, and is likely the one exposed through the library's API, making it a key runtime indicator. However, the actual buffer overflow happens inside the logic of t2_encode_packet as described in the issue. For the purpose of identifying the function containing the vulnerability, t2_encode_packet is the most precise answer based on the provided diff in the issue. The NVD description also explicitly names t2_encode_packet.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in Op*nJP** *.*.*. * ***p-**s** *u***r ov*r*low w*s *is*ov*r** in t** *un*tion t*_*n*o**_p**k*t in li*/op*nmj*/t*.*. T** vuln*r**ility **us*s *n out-o*-*oun*s writ*, w*i** m*y l*** to r*mot* **ni*l o* s*rvi** or possi*ly unsp*

Reasoning

T** vuln*r**ility **s*ription *n* t** link** *it*u* issu* (#****) *ir**tly point to t** `t*_*n*o**_p**k*t` *un*tion in `li*/op*nmj*/t*.*` (or `sr*/li*/op*nmj*/t*.*`). T** issu* **t*ils t** *x**t lo**tions wit*in t** *un*tion w**r* *u***r l*n*t* ****k