NULL pointer dereference vulnerabilities in the imagetopnm function in convert.c, sycc444torgb function in color.c, coloresycctorgb function in color.c, and sycc422to_rgb function in color.c in OpenJPEG before 2.2.0 allow remote attackers to cause a denial of service (application crash) via crafted j2k files.