{"id":"CVE-2016-8884","details":"The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer 1.900.5 allows remote attackers to cause a denial of service (NULL pointer dereference) by calling the imginfo command with a crafted BMP image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8690.","modified":"2026-04-16T06:22:05.841017360Z","published":"2017-03-28T14:59:00.297Z","related":["SUSE-SU-2016:2775-1","SUSE-SU-2016:2776-1","openSUSE-SU-2024:10281-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22FCKKHQCQ3S6TZY5G44EFDTMWOJXJRD/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EGI2FZQLOTSZI3VA4ECJERI74SMNQDL4/"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2016/10/23/1"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2016/10/23/9"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:1208"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/93834"},{"type":"FIX","url":"https://blogs.gentoo.org/ago/2016/10/18/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c-incomplete-fix-for-cve-2016-8690/"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1385499"},{"type":"FIX","url":"https://github.com/mdadams/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jasper-software/jasper","events":[{"introduced":"0"},{"fixed":"5d66894d2313e3f3469f19066e149e08ff076698"}]},{"type":"GIT","repo":"https://github.com/mdadams/jasper","events":[{"introduced":"0"},{"last_affected":"e85c498d29cde9d5062e7aaae5a6bf018e80552d"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.900.5"}]}}],"versions":["version-1.900.1","version-1.900.2","version-1.900.3","version-1.900.4","version-1.900.5","version-1.900.6","version-1.900.7","version-1.900.8"],"database_specific":{"vanir_signatures_modified":"2026-04-11T05:01:03Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"23"}]},{"events":[{"introduced":"0"},{"last_affected":"24"}]}],"vanir_signatures":[{"deprecated":false,"source":"https://github.com/jasper-software/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698","signature_type":"Function","target":{"function":"jas_matrix_create","file":"src/libjasper/base/jas_seq.c"},"id":"CVE-2016-8884-0d0f6df7","digest":{"length":908,"function_hash":"336858158783137425965575654221703239953"},"signature_version":"v1"},{"deprecated":false,"source":"https://github.com/jasper-software/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698","signature_type":"Line","target":{"file":"src/libjasper/base/jas_seq.c"},"id":"CVE-2016-8884-2eb70ae8","digest":{"line_hashes":["71303920133274689466226181545812425676","94596582825739538754825427942708852741","275471086909385279134964357376236752991"],"threshold":0.9},"signature_version":"v1"},{"deprecated":false,"digest":{"line_hashes":["78973177877917695942638208592209958253","212725225705326190465004846873072948550","250005734814337826862306175523633005451","174480673136472974918934133963232957227","69116038732016939922742827558794222153","281603356252916559259227721928432709792","318085406603409284525238239676050625742","118641129552952768440473744706059090681","193134872678604225381121387858645529635","199937166387260850121312225868863801056","92917074845256795268883206691593715767","294250722161227081257470682113364523081","154405990111369122451450973806739399629","175823310022342425432986529838335762815","273588352002904665769437215781312199768","180998429040125013897728147395770693462","56129106083977619482143380465998234460","8910729891691865940539364005422125705","145789051040975065506187954076816442642","192531754977903976340703752365614522672","332060732998573184143787208617380997351","326333860853835892423194464156211935241","97889446831146911932369610927773762490","332771738261049717377917334250138429675","270755596045753749882424287217064795039","322167767617317903190671877369915527931","145368597730880639152782015473620825507","8707411845387877919543962288074286346","314267486699835461041297783376008589014","194015683644782531265877841290052538388","11658753891436937409727887195579584797","274737492504423320891825333031954427373","75735118697033336437928615902021781059","262540838841247533357222297613532373245","295399224259688873328353956616543512347","153920317662153056187463550696823321671","224643264404938019896581945255641848673","49043992406964911650469447437711109637","184874286120531686686562300845882839130","122625378795675173251758044186141788266","266156442886805910791505284316363702218","224611412856738176883450651058747496308","237852050891441876209241916330977536613","186569495922325289644266616094736437360","85941260168008482818339067493106036040"],"threshold":0.9},"signature_type":"Line","target":{"file":"src/libjasper/bmp/bmp_dec.c"},"source":"https://github.com/jasper-software/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698","id":"CVE-2016-8884-533a9cc4","signature_version":"v1"},{"deprecated":false,"id":"CVE-2016-8884-7bb45442","signature_type":"Function","target":{"function":"bmp_decode","file":"src/libjasper/bmp/bmp_dec.c"},"source":"https://github.com/jasper-software/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698","digest":{"length":2420,"function_hash":"127579757359071162609382256820357015217"},"signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-8884.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}