{"id":"CVE-2016-7163","details":"Integer overflow in the opj_pi_create_decode function in pi.c in OpenJPEG allows remote attackers to execute arbitrary code via a crafted JP2 file, which triggers an out-of-bounds read or write.","modified":"2026-03-20T11:14:58.164653Z","published":"2016-09-21T14:25:28.550Z","related":["MGASA-2016-0362","MGASA-2017-0122","SUSE-SU-2017:2144-1","openSUSE-SU-2017:2567-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2T6IQAMS4W65MGP7UW5FPE22PXELTK5D/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YGKSEWWWED77Q5ZHK4OA2EKSJXLRU3MK/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4IRSGYMBSHCBZP23CUDIRJ3LBKH6ZJ7/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/66BWMMMWXH32J5AOGLAJGZA3GH5LZHXH/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AQ2IIIQSJ3J4MONBOGCG6XHLKKJX2HKM/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JYLOX7PZS3ZUHQ6RGI3M6H27B7I5ZZ26/"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2016/09/08/3"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2016/09/08/6"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/92897"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2017-0559.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2017-0838.html"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3665"},{"type":"FIX","url":"https://github.com/uclouvain/openjpeg/issues/826"},{"type":"FIX","url":"https://github.com/uclouvain/openjpeg/commit/c16bc057ba3f125051c9966cf1f5b68a05681de4"},{"type":"FIX","url":"https://github.com/uclouvain/openjpeg/commit/ef01f18dfc6780b776d0674ed3e7415c6ef54d24"},{"type":"FIX","url":"https://github.com/uclouvain/openjpeg/pull/809"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/uclouvain/openjpeg","events":[{"introduced":"0"},{"fixed":"3d7cde5fc9fbc5618d02160900d32e02ed12a00e"},{"fixed":"c16bc057ba3f125051c9966cf1f5b68a05681de4"},{"fixed":"ef01f18dfc6780b776d0674ed3e7415c6ef54d24"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.2.0"}]}}],"database_specific":{"vanir_signatures":[{"signature_version":"v1","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["185758999126045357971661671097814027204","86990504606690239380690591281970397774","317109803081451321303173666652321153890","146470900076975004561247892323613665606"],"threshold":0.9},"source":"https://github.com/uclouvain/openjpeg/commit/c16bc057ba3f125051c9966cf1f5b68a05681de4","target":{"file":"src/lib/openjp2/pi.c"},"id":"CVE-2016-7163-05a5f81d"},{"signature_version":"v1","signature_type":"Function","deprecated":false,"digest":{"function_hash":"327494365687452293443704431018112264625","length":2876},"source":"https://github.com/uclouvain/openjpeg/commit/c16bc057ba3f125051c9966cf1f5b68a05681de4","target":{"function":"opj_pi_create_decode","file":"src/lib/openjp2/pi.c"},"id":"CVE-2016-7163-d9f02d1b"},{"signature_version":"v1","signature_type":"Function","deprecated":false,"digest":{"function_hash":"202036459876181118633764252559168912195","length":2957},"source":"https://github.com/uclouvain/openjpeg/commit/ef01f18dfc6780b776d0674ed3e7415c6ef54d24","target":{"function":"opj_pi_create_decode","file":"src/lib/openjp2/pi.c"},"id":"CVE-2016-7163-e0dd0bb1"},{"signature_version":"v1","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["101491955642050062039341120958308977673","292105675131205126059570189938538731622","174113429180073947026689323121376750221","64243987556959019689011967934429915812"],"threshold":0.9},"source":"https://github.com/uclouvain/openjpeg/commit/ef01f18dfc6780b776d0674ed3e7415c6ef54d24","target":{"file":"src/lib/openjp2/pi.c"},"id":"CVE-2016-7163-f3f83cb3"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-7163.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"23"}]},{"events":[{"introduced":"0"},{"last_affected":"24"}]},{"events":[{"introduced":"0"},{"last_affected":"25"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.5"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}