CVE-2015-8662

Vulnerability

The ff_dwt_decode function in libavcodec/jpeg2000dwt.c of FFmpeg before version 2.8.4 does not validate the number of decomposition levels before proceeding with Discrete Wavelet Transform (DWT) decoding. This allows crafted JPEG 2000 data to trigger an out-of-bounds array access, as the code assumes a fixed maximum number of decompositions without checking the actual value provided in the image header [1].

Exploitation

An attacker can deliver a specially crafted JPEG 2000 file to a target using an affected version of FFmpeg. No special network position or authentication is required; the vulnerability is triggered when the file is processed by ff_dwt_decode during JPEG 2000 decoding. The attacker controls the decomposition level parameter, which is read from the file and used directly as an index into a fixed-size array without bounds checking [1].

Impact

Successful exploitation results in a denial-of-service condition due to a crash caused by the out-of-bounds memory access. The official description notes that "unspecified other impact" may also be possible, but the available references confirm only the denial-of-service scenario. The crash occurs at the privilege level of the process using FFmpeg, which could be a media player, server, or transcoding application [1].

Mitigation

The vulnerability is fixed in FFmpeg version 2.8.4 and later releases. Users should update to at least this version. The fix commit is available in the FFmpeg Git repository [1]. No official CISA KEV listing exists for this CVE. As a workaround, avoid processing untrusted JPEG 2000 files with unpatched versions of FFmpeg.