FFmpeg 7.0+ Integer Overflow in DSCP Option Handling of FFmpeg UDP Protocol
FFmpeg UDP协议处理dscp参数时存在整数溢出漏洞,导致程序异常终止或内存损坏,影响版本7.0-8.0。 2025-9-8 22:28:36 Author: seclists.org(查看原文) 阅读量:1 收藏
FFmpeg UDP协议处理dscp参数时存在整数溢出漏洞,导致程序异常终止或内存损坏,影响版本7.0-8.0。 2025-9-8 22:28:36 Author: seclists.org(查看原文) 阅读量:1 收藏
Full Disclosure mailing list archives
From: Ron E <ronaldjedgerson () gmail com>
Date: Sun, 7 Sep 2025 02:55:20 -0400
A vulnerability exists in the FFmpeg UDP protocol implementation ( libavformat/udp.c) where the dscp parameter is parsed from a URI and left-shifted without bounds checking. Supplying a maximum 32-bit signed integer (2147483647) triggers undefined behavior due to a left shift that exceeds the representable range of int. This results in abnormal process termination (DoS) and may lead to miscompiled logic or further memory corruption depending on compiler optimizations. (FFmpeg 7.0-8.0) *Impact:* - Crashes or aborts when parsing crafted input. - Although primarily DoS, undefined behavior can lead to logic miscompilation or corrupted socket options. *Proof of Concept:*./ffmpeg -i udp://127.0.0.1:1234?dscp=2147483647 *Output:* libavformat/udp.c:830:14: runtime error: left shift of 2147483647 by 2 places cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavformat/udp.c:830:14 in _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- FFmpeg 7.0+ Integer Overflow in DSCP Option Handling of FFmpeg UDP Protocol Ron E (Sep 08)
文章来源: https://seclists.org/fulldisclosure/2025/Sep/31
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh