Security Vulnerability - Action Required: Out-of-bounds Write vulnerability may in your project

[Crispy-fried-chicken]

Hi,
we have detected that your project may be vulnerable to Out-of-bounds Write in the function of jpc_ppxstab_insert in the file of src/libjasper/jpc/jpc_dec.c . It shares similarities to a recent CVE disclosure CVE-2022-29776 in the https://github.com/ONLYOFFICE/core.
The source vulnerability information is as follows:

Vulnerability Detail:
CVE Identifier: CVE-2022-29776
Description: Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via the component DesktopEditor/common/File.cpp.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-29776
Patch: ONLYOFFICE/core@88cf60a

Would you help to check if this bug is true? If it's true, I'd like to open a PR for that if necessary. Thank you for your effort and patience!

[jubalh]

Do you have a reproducer?

[mdadams]

@Crispy-fried-chicken: The Onlyoffice Document Server project needs to determine if the bug lies in JasPer or the Onlyoffice Document Server software. If I am understanding you correctly, you are only speculating that a bug might exist in JasPer, as it is also entirely possible that the bug is in the Onlyoffice Document Server software.