{"id":"CVE-2016-9572","details":"A NULL pointer dereference flaw was found in the way openjpeg 2.1.2 decoded certain input images. Due to a logic error in the code responsible for decoding the input image, an application using openjpeg to process image data could crash when processing a crafted image.","modified":"2026-04-16T06:19:45.554603984Z","published":"2018-08-01T16:29:00.383Z","related":["SUSE-SU-2016:3270-1","openSUSE-SU-2017:2567-1"],"references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/109233"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201710-26"},{"type":"ADVISORY","url":"https://www.debian.org/security/2017/dsa-3768"},{"type":"ADVISORY","url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9572"},{"type":"FIX","url":"https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d"},{"type":"EVIDENCE","url":"https://github.com/uclouvain/openjpeg/issues/863"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/szukw000/openjpeg","events":[{"introduced":"0"},{"fixed":"7b28bd2b723df6be09fe7791eba33147c1c47d0d"}]},{"type":"GIT","repo":"https://github.com/uclouvain/openjpeg","events":[{"introduced":"0"},{"last_affected":"1f1e968269bbd7eaade7955892a6d8c281b91df2"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.1.2"}]}}],"versions":["v2.1.1","v2.1.2"],"database_specific":{"vanir_signatures_modified":"2026-04-11T03:56:43Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9572.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]}],"vanir_signatures":[{"digest":{"length":2850,"function_hash":"193136940573119357836124800919983322157"},"signature_version":"v1","source":"https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d","id":"CVE-2016-9572-22dc9f72","signature_type":"Function","target":{"function":"opj_j2k_get_tile","file":"src/lib/openjp2/j2k.c"},"deprecated":false},{"digest":{"length":8298,"function_hash":"297676261437184694016835715520667960776"},"signature_version":"v1","deprecated":false,"id":"CVE-2016-9572-238d320f","signature_type":"Function","target":{"function":"main","file":"src/bin/jp2/opj_decompress.c"},"source":"https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d"},{"deprecated":false,"signature_version":"v1","source":"https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d","id":"CVE-2016-9572-244fc7ff","signature_type":"Line","target":{"file":"src/bin/jp2/convertbmp.c"},"digest":{"line_hashes":["318264711267618518751963823025624787858","255363180696734635951214510385402174049","309841295499363486108133483116972563936","14561951267035938107675197466098701316","15639637573197209635959170013101441935"],"threshold":0.9}},{"digest":{"line_hashes":["228490326070881309985403427500286322939","17687366975017735657591238761002032239","239581916029237176554430048550513987813","212174472147716699098750234530926059957"],"threshold":0.9},"signature_version":"v1","deprecated":false,"id":"CVE-2016-9572-31a54708","signature_type":"Line","target":{"file":"src/bin/jp2/opj_decompress.c"},"source":"https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d"},{"digest":{"length":5536,"function_hash":"253581360288918369994768571986053002378"},"signature_version":"v1","deprecated":false,"id":"CVE-2016-9572-524a6142","signature_type":"Function","target":{"function":"imagetopnm","file":"src/bin/jp2/convert.c"},"source":"https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d"},{"deprecated":false,"signature_version":"v1","source":"https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d","id":"CVE-2016-9572-5e356f67","signature_type":"Function","target":{"function":"opj_j2k_decode","file":"src/lib/openjp2/j2k.c"},"digest":{"length":1055,"function_hash":"33275239114353805521079340080330716201"}},{"digest":{"line_hashes":["80315732206355359049050769247888656091","183763278690463407009818878414944039954","62822351838568414076055483728315566222","122396704176018901594857699730273313546","262148574508447972117312429828193579183","136706975510943855203607052440698341936","193612096258726163727787347278234715483","47142360348409988863822996383906422293","52030118202603584211358048115811922219","190010574521500998074619833611306749941","111072910875417164785446644371401396370","153462369694004413846611341277916680725","257103834486202656738728233321824753304","72036359385383864535123877284098252703","203186649364705011118148340480887803902","339167995955655546575847274629792267207","161714677321586967482788935172220399570","190119430394339295500259979754348457523","36021345366885397673199063209432470823","12763122897174111320792906513163393472","139120114906283556372762204524320099530","230096631979752056642068377261925875985","308383285384679798260528084732020131797","91461493161587018849829739536973344207","242775405494858142976238549683244043885","284902547186276625068125661054229431110","265140894365009529774366330508618613646"],"threshold":0.9},"signature_version":"v1","deprecated":false,"id":"CVE-2016-9572-619e62ee","signature_type":"Line","target":{"file":"src/bin/jp2/convert.c"},"source":"https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d"},{"deprecated":false,"signature_version":"v1","source":"https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d","id":"CVE-2016-9572-9f24bb02","signature_type":"Line","target":{"file":"src/lib/openjp2/j2k.c"},"digest":{"line_hashes":["135871134447234627874245013138127965852","308005561986685042015028372656817408867","109625809900293282610397426434514288476","324530319344996584960719067886783000030","82526264930603096558269276368594977261","245830637960672274992287612575021189575","301571008654756861986195373651121103945","160900890564292618354247114135242261711","207179950201084715599855631176457646366","315164313095756400637091384970624751387","228743686273374863276121384749357185263","153686703996815414543249050234097436785","108237980005460661314357549048658353636","66907927412709611544060494845656412775","14182392715881408348973902011195640487"],"threshold":0.9}},{"digest":{"length":2903,"function_hash":"10145319696166922982477300412952557678"},"signature_version":"v1","deprecated":false,"id":"CVE-2016-9572-bbff2600","signature_type":"Function","target":{"function":"imagetotga","file":"src/bin/jp2/convert.c"},"source":"https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d"},{"digest":{"length":3477,"function_hash":"273635315231797665313944944891916635209"},"signature_version":"v1","deprecated":false,"id":"CVE-2016-9572-c03ddbc6","signature_type":"Function","target":{"function":"imagetoraw_common","file":"src/bin/jp2/convert.c"},"source":"https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d"},{"deprecated":false,"signature_version":"v1","source":"https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d","id":"CVE-2016-9572-c0ed7cde","signature_type":"Function","target":{"function":"imagetobmp","file":"src/bin/jp2/convertbmp.c"},"digest":{"length":8515,"function_hash":"275523838856146161356127068872183091878"}},{"deprecated":false,"signature_version":"v1","source":"https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d","id":"CVE-2016-9572-d0d1abc4","signature_type":"Function","target":{"function":"opj_j2k_read_siz","file":"src/lib/openjp2/j2k.c"},"digest":{"length":10011,"function_hash":"63313544961116613434530705982078774213"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}