Some versions of JasPer contain multiple vulnerabilities that may allow a remote, unauthenticated attacker to execute arbitrary code.
JasPer fails to properly decode marker segments and other sections in malformed JPEG2000 files. Malformed inputs can cause heap buffer overflows which in turn may result in execution of attacker-controlled code.
CVE-2011-4516: src/libjasper/jpc/jpc_cs.c: jpc_cox_getcompparms
By tricking a user into opening or previewing an image file in an application that decodes images with the JasPer library, an attacker can execute arbitrary code or cause a denial-of-service crash.
Apply an update
Please consider the following workarounds:
These vulnerabilities were discovered by Jonathan Foote of the CERT/CC.