FFmpeg 7.0+ Integer Overflow in UDP Protocol Handler (fifo_size option)
FFmpeg udp.c组件在解析fifo_size选项时存在整数溢出漏洞,可能导致内存分配失败或缓冲区溢出。该漏洞影响版本7.0至8.0,严重程度取决于编译器优化和下游使用情况。 2025-9-8 22:28:34 Author: seclists.org(查看原文) 阅读量:2 收藏
FFmpeg udp.c组件在解析fifo_size选项时存在整数溢出漏洞,可能导致内存分配失败或缓冲区溢出。该漏洞影响版本7.0至8.0,严重程度取决于编译器优化和下游使用情况。 2025-9-8 22:28:34 Author: seclists.org(查看原文) 阅读量:2 收藏
Full Disclosure mailing list archives
From: Ron E <ronaldjedgerson () gmail com>
Date: Sun, 7 Sep 2025 02:43:02 -0400
A signed integer overflow exists in FFmpeg’s udp.c implementation when parsing the fifo_size option from a user-supplied UDP URL. The overflow occurs during multiplication, which is used to compute the size of the circular receive buffer. This can result in undefined behavior, allocation failures, or potentially memory corruption depending on compiler optimizations and downstream usage. (FFmpeg 7.0-8.0)) *Impact:* - Denial of Service (allocation failure, runtime crash). - Heap buffer overflow if the wrapped value allocates a smaller buffer than required but is later written into with the intended (larger) size. - Severity depends on compiler behavior and downstream allocations. *Proof of Concept:*./ffmpeg -i udp://127.0.0.1:1234?fifo_size=2147483647 -f null - *Output:*libavformat/udp.c:760:29: runtime error: signed integer overflow: 2147483647 * 188 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavformat/udp.c:760:29 [in#0 @ 0x512000000040] Error opening input: Cannot allocate memory Error opening input file udp://127.0.0.1:1234?fifo_size=2147483647. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- FFmpeg 7.0+ Integer Overflow in UDP Protocol Handler (fifo_size option) Ron E (Sep 08)
文章来源: https://seclists.org/fulldisclosure/2025/Sep/30
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh