CVE-2016-1628

Name of the Vulnerable Software and Affected Versions OpenJPEG versions prior to 48.0.2564.109 PDFium in Google Chrome versions prior to 48.0.2564.109 Opera versions prior to 48.0.2564.109

Description The issue is related to the pi.c function in OpenJPEG, as used in PDFium, which does not validate a certain precision value. This allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via a crafted JPEG 2000 image in a PDF document. The opj pi next rpcl, opj pi next pcrl, and opj pi next cprl functions are involved in this issue.

Recommendations For OpenJPEG versions prior to 48.0.2564.109, update to version 48.0.2564.109 or later to resolve the issue. For PDFium in Google Chrome versions prior to 48.0.2564.109, update Google Chrome to version 48.0.2564.109 or later. For Opera versions prior to 48.0.2564.109, update Opera to version 48.0.2564.109 or later. As a temporary workaround, consider disabling the use of JPEG 2000 images in PDF documents until a patch is available.