This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/4.3 in repository ffmpeg.
commit a7f6ee19a8b317be661d837c1a7ece41c0d46faa Author: Michael Niedermayer <[email protected]> AuthorDate: Tue Aug 5 23:42:23 2025 +0200 Commit: James Almer <[email protected]> CommitDate: Fri Jan 2 21:58:51 2026 +0000 avcodec/jpeg2000dec: implement cdef remapping during pixel format matching Fixes: out of array access Fixes: poc.jp2 Fixes: CVE-2025-9951 Found-by: Andy Nguyen <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit 01a292c7e36545ddeb3c7f79cd02e2611cd37d73) Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit eb80096cbe8b11105f7be0eb99233667e8836c1a) Signed-off-by: Carlos Henrique Lima Melara <[email protected]> --- libavcodec/jpeg2000dec.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 51fd5dd2dc..a04c545669 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -351,6 +351,14 @@ static int get_siz(Jpeg2000DecoderContext *s) } // after here we no longer have to consider negative cdef + int cdef_used = 0; + for (i = 0; i < s->ncomponents; i++) + cdef_used |= 1<<s->cdef[i]; + + // Check that the channels we have are what we expect for the number of components + if (cdef_used != ((int[]){0,2,3,14,15})[s->ncomponents]) + return AVERROR_INVALIDDATA; + for (i = 0; i < s->ncomponents; i++) { // Ssiz_i XRsiz_i, YRsiz_i uint8_t x = bytestream2_get_byteu(&s->g); s->cbps[i] = (x & 0x7f) + 1; @@ -363,7 +371,9 @@ static int get_siz(Jpeg2000DecoderContext *s) av_log(s->avctx, AV_LOG_ERROR, "Invalid sample separation %d/%d\n", s->cdx[i], s->cdy[i]); return AVERROR_INVALIDDATA; } - log2_chroma_wh |= s->cdy[i] >> 1 << i * 4 | s->cdx[i] >> 1 << i * 4 + 2; + int i_remapped = s->cdef[i] ? s->cdef[i]-1 : (s->ncomponents-1); + + log2_chroma_wh |= s->cdy[i] >> 1 << i_remapped * 4 | s->cdx[i] >> 1 << i_remapped * 4 + 2; } s->numXtiles = ff_jpeg2000_ceildiv(s->width - s->tile_offset_x, s->tile_width); _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
