jpeg2000: invalid write 4

[ami_stuff]

fuzzed file

​http://www1.datafilehost.com/d/d0bba6d3

(gdb) r -i ./flossless.avi
Starting program: /media/sdb1/ffmpeg-HEAD-da30d0c/ffmpeg_g -i ./flossless.avi
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 2.0-da30d0c Copyright (c) 2000-2013 the FFmpeg developers
  built on Oct 22 2013 14:57:21 with gcc 4.7 (Debian 4.7.2-5)
  configuration: --disable-yasm --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      52. 47.101 / 52. 47.101
  libavcodec     55. 37.102 / 55. 37.102
  libavformat    55. 19.103 / 55. 19.103
  libavdevice    55.  4.100 / 55.  4.100
  libavfilter     3. 89.100 /  3. 89.100
  libswscale      2.  5.101 /  2.  5.101
  libswresample   0. 17.104 /  0. 17.104
  libpostproc    52.  3.100 / 52.  3.100
[avi @ 0x91aee60] Something went wrong during header parsing, I will ignore it and try to continue anyway.
[avi @ 0x91aee60] non-interleaved AVI
[jpeg2000 @ 0x91b2700] unsupported marker 0xCD76 at pos 0x385

Program received signal SIGSEGV, Segmentation fault.
jpeg2000_decode_tile (s=s@entry=0x91b43e0, tile=0x91f1bc0, 
    picture=picture@entry=0x91f1a00) at libavcodec/jpeg2000dec.c:1309
1309	                        *dst = val << (8 - cbps);
(gdb) bt
#0  jpeg2000_decode_tile (s=s@entry=0x91b43e0, tile=0x91f1bc0, 
    picture=picture@entry=0x91f1a00) at libavcodec/jpeg2000dec.c:1309
#1  0x0855c1de in jpeg2000_decode_frame (avctx=0x91b2700, data=0x91f1a00, 
    got_frame=0xbffff060, avpkt=0xbfffefd8) at libavcodec/jpeg2000dec.c:1663
#2  0x086c8026 in avcodec_decode_video2 (avctx=0x91b2700, picture=0x91f1a00, 
    got_picture_ptr=got_picture_ptr@entry=0xbffff060, 
    avpkt=avpkt@entry=0xbffff088) at libavcodec/utils.c:2007
#3  0x08238490 in try_decode_frame (s=s@entry=0x91aee60, 
    st=st@entry=0x91b24a0, avpkt=avpkt@entry=0x91b73e0, options=0x0)
    at libavformat/utils.c:2508
#4  0x08241dae in avformat_find_stream_info (ic=0x91aee60, options=0x91b3ca0)
    at libavformat/utils.c:2970
#5  0x080a9255 in open_input_file (o=o@entry=0xbffff55c, 
    filename=<optimized out>) at ffmpeg_opt.c:818
#6  0x080a7a17 in open_files (inout=inout@entry=0x897641b "input", 
    open_file=open_file@entry=0x80a8e10 <open_input_file>, 
    l=<error reading variable: Unhandled dwarf expression opcode 0xfa>, 
    l=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
    at ffmpeg_opt.c:2505
#7  0x080afc99 in ffmpeg_parse_options (argc=argc@entry=3, 
    argv=argv@entry=0xbffff9e4) at ffmpeg_opt.c:2542
#8  0x080a50fa in main (argc=3, argv=0xbffff9e4) at ffmpeg.c:3408
(gdb) 

knoppix@Microknoppix:/media/sdb1$ valgrind --leak-check=full ffmpeg-HEAD-da30d0c/ffmpeg_g -i ./flossless.avi
==28778== Memcheck, a memory error detector
==28778== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==28778== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==28778== Command: ffmpeg-HEAD-da30d0c/ffmpeg_g -i ./flossless.avi
==28778== 
ffmpeg version 2.0-da30d0c Copyright (c) 2000-2013 the FFmpeg developers
  built on Oct 22 2013 14:57:21 with gcc 4.7 (Debian 4.7.2-5)
  configuration: --disable-yasm --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      52. 47.101 / 52. 47.101
  libavcodec     55. 37.102 / 55. 37.102
  libavformat    55. 19.103 / 55. 19.103
  libavdevice    55.  4.100 / 55.  4.100
  libavfilter     3. 89.100 /  3. 89.100
  libswscale      2.  5.101 /  2.  5.101
  libswresample   0. 17.104 /  0. 17.104
  libpostproc    52.  3.100 / 52.  3.100
[avi @ 0x4223060] Something went wrong during header parsing, I will ignore it and try to continue anyway.
[avi @ 0x4223060] non-interleaved AVI
[jpeg2000 @ 0x4255460] unsupported marker 0xCD76 at pos 0x385
==28778== Invalid write of size 1
==28778==    at 0x8558D9D: jpeg2000_decode_tile (jpeg2000dec.c:1309)
==28778==    by 0x855C1DD: jpeg2000_decode_frame (jpeg2000dec.c:1663)
==28778==    by 0x86C8025: avcodec_decode_video2 (utils.c:2007)
==28778==    by 0x823848F: try_decode_frame (utils.c:2508)
==28778==  Address 0xe42971c0 is not stack'd, malloc'd or (recently) free'd
==28778== 
==28778== 
==28778== Process terminating with default action of signal 11 (SIGSEGV)
==28778==  Access not within mapped region at address 0xE42971C0
==28778==    at 0x8558D9D: jpeg2000_decode_tile (jpeg2000dec.c:1309)
==28778==    by 0x855C1DD: jpeg2000_decode_frame (jpeg2000dec.c:1663)
==28778==    by 0x86C8025: avcodec_decode_video2 (utils.c:2007)
==28778==    by 0x823848F: try_decode_frame (utils.c:2508)
==28778==  If you believe this happened as a result of a stack
==28778==  overflow in your program's main thread (unlikely but
==28778==  possible), you can try to increase the size of the
==28778==  main thread stack using the --main-stacksize= flag.
==28778==  The main thread stack size used in this run was 8388608.
==28778== 
==28778== HEAP SUMMARY:
==28778==     in use at exit: 2,640,278 bytes in 289 blocks
==28778==   total heap usage: 395 allocs, 106 frees, 2,828,868 bytes allocated
==28778== 
==28778== LEAK SUMMARY:
==28778==    definitely lost: 0 bytes in 0 blocks
==28778==    indirectly lost: 0 bytes in 0 blocks
==28778==      possibly lost: 0 bytes in 0 blocks
==28778==    still reachable: 2,640,278 bytes in 289 blocks
==28778==         suppressed: 0 bytes in 0 blocks
==28778== Reachable blocks (those to which a pointer was found) are not shown.
==28778== To see them, rerun with: --leak-check=full --show-reachable=yes
==28778== 
==28778== For counts of detected and suppressed errors, rerun with: -v
==28778== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 59 from 6)
Segmentation fault

[Michael Niedermayer]

Fixed in 780669ef7c23c00836a24921fcc6b03be2b8ca4a