{"id":"CVE-2019-12973","details":"In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. This issue is similar to CVE-2018-6616.","modified":"2026-04-16T04:36:21.201975252Z","published":"2019-06-26T18:15:10.120Z","related":["ALSA-2021:4251","SUSE-SU-2019:2460-1","SUSE-SU-2019:2478-1","openSUSE-SU-2019:2222-1","openSUSE-SU-2019:2223-1","openSUSE-SU-2024:10783-1","openSUSE-SU-2024:11120-1"],"references":[{"type":"WEB","url":"https://github.com/uclouvain/openjpeg/pull/1185/commits/cbe7384016083eac16078b359acd7a842253d503"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/108900"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00008.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202101-29"},{"type":"ADVISORY","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/uclouvain/openjpeg","events":[{"introduced":"0"},{"last_affected":"57096325457f96d8cd07bd3af04fe81d7a2ba788"},{"fixed":"8ee335227bbcaf1614124046aa25e53d67b11ec3"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.3.1"}]}}],"versions":["v2.2.0","v2.3.0","v2.3.1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"18c"}]},{"events":[{"introduced":"0"},{"last_affected":"8.5.4"}]},{"events":[{"introduced":"0"},{"last_affected":"8.5.5"}]}],"vanir_signatures_modified":"2026-04-11T08:05:36Z","vanir_signatures":[{"target":{"function":"bmp_read_rle8_data","file":"src/bin/jp2/convertbmp.c"},"signature_type":"Function","digest":{"function_hash":"81929091039132960155780805690430238765","length":1399},"id":"CVE-2019-12973-35e0ec8a","deprecated":false,"signature_version":"v1","source":"https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3"},{"target":{"file":"src/bin/jp2/convertbmp.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["77636936433144648117381511526191110653","183302273827641616826540289135523153428","65269223957392472433334701979460511267","59707955247167473863662549267590613949","322298667671987638395076744301206986377","232404145414626107981458196450651320968","289458997193636776763867888812167293327","13384536911047527457182828460160666900","46871980493215975922026015114378524541","144104948709376102765644926628207135645","295170891517319101389231089439069449359","252787013674851661264041490130253976418","107250163831291265973788838952952422966","250245717910178570951424657858112863088","93537647608255735541413567565670746666","228234405337706127464700532848322466791","264929650207890875718971684201152659841","108587633537507210242609878158511307392","241166423729958240998350858258662147156","169443768931054359674620264080578889195","120751972370044129218675960987130825278"]},"id":"CVE-2019-12973-83778897","deprecated":false,"signature_version":"v1","source":"https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12973.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}