cbs jpeg split fragment in libavcodec/cbs jpeg.c in FFmpeg 4.1 and 4.2.2 has a heap-based buffer overflow during JPEG MARKER SOS handling because of a missing length check.