Integer signedness error in format_jpeg.c in Asterisk 1.2.6 and earlier allows remote attackers to execute arbitrary code via a length value that passes a length check as a negative number, but triggers a buffer overflow when it is used as an unsigned length.
Exploitability
AV:NAC:LAu:NImpact
C:NI:PA:P6.4/AV:N/AC:L/Au:N/C:N/I:P/A:P