oss-sec mailing list archives

[CVE-2017-15672]: ffmpeg: read out of bounds of buffer when it parsing an craft mp4 file.

From: 连一汉 <lianyihan () 360 cn>
Date: Fri, 3 Nov 2017 11:17:03 +0000

Affected package: ffmpeg
Affected versions: <= 3.3.4

FFmpeg could read out of bounds of buffer when it parsing an craft mp4 file.

While ffmpeg calculating “bytestream_end” in ff_init_range_encoder() of libavcodec/rangecoder.c,
it uses a small “buf_size”. But when using this structure in read_header() of libavcodec/ffv1dec.c,
It will minus a bigger “trailer” than “buf_size” to read “size” through AV_RB24().
So it reads the front memory of “bytestream”, and get an error “size”.

The issue was fixed with the following commit:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=c20f4fcb74da2d0432c7b54499bb98f48236b904

Regards

Reported by Zhibin Hu and Yihan Lian from Qihoo 360 GearTeam

Current thread:

[CVE-2017-15672]: ffmpeg: read out of bounds of buffer when it parsing an craft mp4 file. 连一汉 (Nov 03)