FFmpeg Multiple Vulnerabilities

Last Update Date: 9 Jan 2012 12:41 Release Date: 9 Jan 2012 5555 Views

RISK: High Risk

High Risk

TYPE: Clients - Audio & Video

TYPE: Audio & Video

Multiple vulnerabilities have been identified in FFmpeg, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a user's system.

  1. Errors when processing MKV and Vorbis files can be exploited to cause an out-of-bounds read.
  2. An error when processing Vorbis files can be exploited to cause a heap-based buffer overflow.
  3. An error within the "process_audio_header_eacs()" function (libavformat/electronicarts.c) can be exploited to cause a division by zero via e.g. specially crafted TGV files.
  4. An error within the "ff_pnm_decode_header()" function (libavcodec/pnm.c) can be exploited to cause a division by zero via e.g. specially crafted PAM files.
  5. An error within the "decode_band_types()" function (libavcodec/aacdec.c) can be exploited to cause an infinite loop via e.g. specially crafted of PCM files.
  6. An error within the "load_ipmovie_packet()" function (libavformat/ipmovie.c) can be exploited to cause a division by zero via e.g. specially crafted MVE files.
  7. An error within the "decode_slice_thread()" function (libavcodec/proresdec2.c) can be exploited to cause a crash due to an out-of-bounds read via e.g. specially crafted MOV files.
  8. Errors within the "mpeg1_decode_sequence()" and "vcr2_init_sequence()" functions (libavcodec/mpeg12.c) can be exploited to cause a crash via e.g. specially crafted MPEG2 TS files.
  9. A NULL-pointer dereference error within the "parse_bintree()" function (libavcodec/indeo3.c) can be exploited to cause a crash via e.g. specially crafted MOV files.
  10. An error within the "get_ur_golomb_jpegls()" function (libavcodec/golomb.h) can be exploited to cause an infinite loop via e.g. specially crafted AVI files.
  11. A NULL-pointer dereference error within the "ff_ivi_output_plane()" function (libavcodec/ivi_common.c) can be exploited to cause a crash via e.g. specially crafted media files using the INDEO5 codec.
  12. Errors within the handling of MVE files can be exploited to cause a crash due to excessive memory consumption.
  13. A NULL-pointer dereference error within the "tm2_read_stream()" function (libavcodec/truemotion2.c) can be exploited to cause a crash via e.g. specially crafted AVI files.
  14. An error within the "avi_read_idx1()" function (libavformat/avidec.c) can be exploited to cause an infinite loop via e.g. specially crafted AVI files.
  15. An error within the "adpcm_decode_frame()" function (libavcodec/adpcm.c) can be exploited to cause a crash via e.g. specially crafted WVE files.
  16. An error within the "rl2_read_header()" function (libavformat/rl2.c) can be exploited to cause a crash due to a floating point exception.
  17. A NULL-pointer dereference error within the "avpriv_mpeg4audio_get_config()" function (libavcodec/mpeg4audio.c) can be exploited to cause a crash.
  18. An error within the "decodeTonalComponents()" function (libavcodec/atrac3.c) can be exploited to cause a crash.
  19. An error within the "avi_read_header()" function (libavformat/avidec.c) can be exploited to cause a crash due to memory consumption via specially crafted AVI files.
  20. An error within the "txd_read_header()" function (libavformat/txd.c) can be exploited to cause a crash due to memory consumption via specially crafted TXD files.
  21. Errors within the processing of THP files can be exploited to cause a crash due to memory consumption.
  22. An error within the "avi_read_packet()" function (libavformat/avidec.c) can be exploited to cause an infinite loop via specially crafted packages.
  23. An integer overflow error within the "ff_j2k_dwt_init()" function (libavcodec/j2k_dwt.c) can be exploited to cause a heap-based buffer overflow.
  24. An error within the "smacker_read_packet()" function (libavformat/smacker.c) can be exploited to cause a crash due to memory consumption via specially crafted SMK files.
  25. An error within the "transcode_video()" function (ffmpeg.c) can be exploited to cause a crash via e.g. specially crafted VC1 files.
  26. A boundary error within the "smka_decode_frame()" function (libavcodec/smacker.c) can be exploited to cause a crash due to out-of-bounds reads via specially crafted SMK files.
  27. An error within the "ff_mov_read_stsd_entries()" function (libavformat/mov.c) can be exploited to cause an infinite loop via specially crafted MOV files.
  28. An error when decoding JPEG files in lowres mode can be exploited to cause a crash via specially crafted JPEG files.
  29. An error within the "sbr_qmf_synthesis()" function (libavcodec/aacsbr.c) can be exploited to cause a memory corruption via specially crafted media files.
  30. An error within the "ff_h264_decode_seq_parameter_set()" function (libavcodec/h264_ps.c) can be exploited to cause a crash via e.g. specially crafted H264 files.
  31. An error within the "mtv_read_header()" function (libavformat/mtv.c) can be exploited to cause a floating point exception via specially crafted MTV files.
  32. Various other errors can be exploited to e.g. cause crashes due to NULL-pointer dereferences, out-of-bounds reads, floating point exceptions, integer overflows, excessive memory consumption and invalid memory frees or cause infinite loops via specially crafted media files.

Impact

  • Denial of Service
  • Remote Code Execution

System / Technologies affected

  • FFmpeg 0.x

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

  • Update to version 0.9.1.

Vulnerability Identifier

Source

Related Link

Share with

Previous

Mozilla Firefox Drag and Drop Handling Same Origin Policy Bypass Vulnerability

6 Jan 2012 5739 Views

Next

Google Chrome Multiple Vulnerabilities

9 Jan 2012 5376 Views

We use cookies to give you the best possible experience on our website. By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy.

PRIVACY POLICY