cbsjpegsplitfragment in libavcodec/cbsjpeg.c in FFmpeg 4.1 and 4.2.2 has a heap-based buffer overflow during JPEGMARKERSOS handling because of a missing length check.
[ { "source": "https://github.com/ffmpeg/ffmpeg/commit/1812352d767ccf5431aa440123e2e260a4db2726", "signature_version": "v1", "target": { "file": "libavcodec/cbs_jpeg.c", "function": "cbs_jpeg_split_fragment" }, "digest": { "length": 3246.0, "function_hash": "295269910854795076654787475383993439121" }, "deprecated": false, "signature_type": "Function", "id": "CVE-2020-12284-05b42b91" }, { "source": "https://github.com/ffmpeg/ffmpeg/commit/1812352d767ccf5431aa440123e2e260a4db2726", "signature_version": "v1", "target": { "file": "libavcodec/cbs_jpeg.c" }, "digest": { "line_hashes": [ "95195660024913394212304132289173808057", "312525091208015857353260134168748076611", "298190530965200286121570828407286037464" ], "threshold": 0.9 }, "deprecated": false, "signature_type": "Line", "id": "CVE-2020-12284-4194c84e" }, { "source": "https://github.com/ffmpeg/ffmpeg/commit/a3a3730b5456ca00587455004d40c047f7b20a99", "signature_version": "v1", "target": { "file": "libavcodec/cbs_jpeg.c" }, "digest": { "line_hashes": [ "95195660024913394212304132289173808057", "312525091208015857353260134168748076611", "298190530965200286121570828407286037464" ], "threshold": 0.9 }, "deprecated": false, "signature_type": "Line", "id": "CVE-2020-12284-8f9639c6" }, { "source": "https://github.com/ffmpeg/ffmpeg/commit/a3a3730b5456ca00587455004d40c047f7b20a99", "signature_version": "v1", "target": { "file": "libavcodec/cbs_jpeg.c", "function": "cbs_jpeg_split_fragment" }, "digest": { "length": 3284.0, "function_hash": "95840289875798690280122319277904648598" }, "deprecated": false, "signature_type": "Function", "id": "CVE-2020-12284-e760d172" } ]