avcodec/jpeg2000dec: fix cdef remapping out-of-bounds write (CVE-2025-9951)#124
Open
dkgkdfg65 wants to merge 1 commit into
Open
avcodec/jpeg2000dec: fix cdef remapping out-of-bounds write (CVE-2025-9951)#124dkgkdfg65 wants to merge 1 commit into
dkgkdfg65 wants to merge 1 commit into
Conversation
…-9951) Backports the upstream fix onto the 7.1.1 base: - 104d684 avcodec/jpeg2000dec: move cdef default check into get_siz() - 01a292c avcodec/jpeg2000dec: implement cdef remapping during pixel format matching A crafted cdef box could remap a component onto an arbitrary plane, so WRITE_FRAME indexed planes out of bounds and wrote past a smaller plane's buffer (heap-buffer-overflow in write_frame_8). get_siz() now finalizes cdef early and rejects channel combinations that don't match the component count. Verified with AddressSanitizer on the 7.1.1 build: the proof-of-concept file no longer overflows (rejected as invalid) and valid JPEG2000 input still decodes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #123 (CVE-2025-9951).
The JPEG2000 decoder on the current 7.1.1 base has a heap buffer overflow in
write_frame_8: a craftedcdefbox can remap a component onto an arbitrary plane, andWRITE_FRAMEuses that index without bounds-checking, writing a larger plane's data past a smaller plane's buffer.This backports the upstream fix:
104d6846c1beavcodec/jpeg2000dec: move cdef default check into get_siz()01a292c7e365avcodec/jpeg2000dec: implement cdef remapping during pixel format matchingget_siz()now finalizescdefearly and rejects channel/component combinations that don't match, and the chroma-shift computation uses the remapped index.Verified with AddressSanitizer on this 7.1.1 build:
heap-buffer-overflow WRITE ... write_frame_8 libavcodec/jpeg2000dec.con the PoC from JPEG2000 decoder heap buffer overflow (CVE-2025-9951) not yet backported to 7.1.1 #123