Fix heap buffer overflow in MJ2 stco_decompact (CVE pending)

Grok Compression · Grok Compression · commit bf5a6cbc9123 · 2026-05-13T22:40:11.000-04:00
The stco_decompact function writes to tk-&gt;samples_[samples_count] without
checking whether samples_count has exceeded the vector size. When a crafted
MJ2 file has samples_per_chunk (from stsc box) larger than the actual sample
count (from stts box), the inner loop writes past the end of the vector.

This is an attacker-controlled linear heap write: both the value (chunk.offset_
from stco box) and length (samples_per_chunk from stsc box) are attacker-
controlled 32-bit fields from the file.

Fix (defense in depth):
1. Add bounds check in stco_decompact inner loop to stop before OOB write
2. Validate samples_per_chunk in stsc_decompact against actual sample count,
   rejecting inconsistent files early

Reported-by: Claude / Ada Logics
diff --git a/src/lib/core/fileformat/decompress/FileFormatMJ2Decompress.cpp b/src/lib/core/fileformat/decompress/FileFormatMJ2Decompress.cpp
@@ -548,12 +548,19 @@ void FileFormatMJ2Decompress::stsc_decompact(mj2_tk* tk)
 {
   if(tk->sampletochunk_.size() == 1)
   {
+    auto samples_per_chunk = tk->sampletochunk_[0].samples_per_chunk_;
+    if(samples_per_chunk == 0 || samples_per_chunk > tk->samples_.size())
+    {
+      grklog.error("MJ2 STSC: samples_per_chunk %u is inconsistent with sample count %u",
+                   samples_per_chunk, (uint32_t)tk->samples_.size());
+      return;
+    }
     auto num_chunks = (uint32_t)ceil((double)tk->samples_.size() /
-                                     (double)tk->sampletochunk_[0].samples_per_chunk_);
+                                     (double)samples_per_chunk);
     for(uint32_t k = 0; k < num_chunks; k++)
     {
       mj2_chunk chunk;
-      chunk.num_samples_ = tk->sampletochunk_[0].samples_per_chunk_;
+      chunk.num_samples_ = samples_per_chunk;
       tk->chunks_.push_back(chunk);
     }
   }
@@ -627,6 +634,11 @@ void FileFormatMJ2Decompress::stco_decompact(mj2_tk* tk)
     uint32_t intra_chunk_offset = 0;
     for(uint32_t j = 0; j < chunk.num_samples_; j++)
     {
+      if(samples_count >= tk->samples_.size())
+      {
+        grklog.error("MJ2 STCO: chunk samples exceed declared sample count");
+        return;
+      }
       tk->samples_[samples_count].offset_ = intra_chunk_offset + chunk.offset_;
       intra_chunk_offset += tk->samples_[samples_count].samples_size_;
       samples_count++;

Original file line number	Diff line number	Diff line change
`@@ -548,12 +548,19 @@ void FileFormatMJ2Decompress::stsc_decompact(mj2_tk* tk)`
`548`	`548`	`{`
`549`	`549`	`if(tk->sampletochunk_.size() == 1)`
`550`	`550`	`{`
	`551`	`+ auto samples_per_chunk = tk->sampletochunk_[0].samples_per_chunk_;`
	`552`	`+ if(samples_per_chunk == 0 \|\| samples_per_chunk > tk->samples_.size())`
	`553`	`+ {`
	`554`	`+ grklog.error("MJ2 STSC: samples_per_chunk %u is inconsistent with sample count %u",`
	`555`	`+ samples_per_chunk, (uint32_t)tk->samples_.size());`
	`556`	`+ return;`
	`557`	`+ }`
`551`	`558`	`auto num_chunks = (uint32_t)ceil((double)tk->samples_.size() /`
`552`		`- (double)tk->sampletochunk_[0].samples_per_chunk_);`
	`559`	`+ (double)samples_per_chunk);`
`553`	`560`	`for(uint32_t k = 0; k < num_chunks; k++)`
`554`	`561`	`{`
`555`	`562`	`mj2_chunk chunk;`
`556`		`- chunk.num_samples_ = tk->sampletochunk_[0].samples_per_chunk_;`
	`563`	`+ chunk.num_samples_ = samples_per_chunk;`
`557`	`564`	`tk->chunks_.push_back(chunk);`
`558`	`565`	`}`
`559`	`566`	`}`
`@@ -627,6 +634,11 @@ void FileFormatMJ2Decompress::stco_decompact(mj2_tk* tk)`
`627`	`634`	`uint32_t intra_chunk_offset = 0;`
`628`	`635`	`for(uint32_t j = 0; j < chunk.num_samples_; j++)`
`629`	`636`	`{`
	`637`	`+ if(samples_count >= tk->samples_.size())`
	`638`	`+ {`
	`639`	`+ grklog.error("MJ2 STCO: chunk samples exceed declared sample count");`
	`640`	`+ return;`
	`641`	`+ }`
`630`	`642`	`tk->samples_[samples_count].offset_ = intra_chunk_offset + chunk.offset_;`
`631`	`643`	`intra_chunk_offset += tk->samples_[samples_count].samples_size_;`
`632`	`644`	`samples_count++;`