CVE-2016-1645

Name of the Vulnerable Software and Affected Versions OpenJPEG versions prior to 49.0.2623.87 Google Chrome versions prior to 49.0.2623.87 PDFium versions prior to 49.0.2623.87 Opera versions prior to 49.0.2623.87

Description The issue is caused by multiple integer signedness errors in the opj j2k update image data function in j2k.c in OpenJPEG, which is used in PDFium in Google Chrome and Opera. This allows remote attackers to cause a denial of service (incorrect cast and out-of-bounds write) or possibly have unspecified other impact via crafted JPEG 2000 data.

Recommendations For OpenJPEG versions prior to 49.0.2623.87, update to a version that includes the fix for the opj j2k update image data function. For Google Chrome versions prior to 49.0.2623.87, update to version 49.0.2623.87 or later. For PDFium versions prior to 49.0.2623.87, update to a version that includes the fix for the opj j2k update image data function. For Opera versions prior to 49.0.2623.87, update to a version that includes the fix for the opj j2k update image data function. As a temporary workaround, consider disabling the opj j2k update image data function until a patch is available.