FFmpeg CVE-2017-9996 Heap Buffer Overflow Vulnerability



FFmpeg is prone to a heap-based buffer overflow vulnerability.

Successfully exploiting this issue allows remote attackers to crash the affected application, denying service to legitimate users. Due to the nature of this issue, code execution may be possible but this has not been confirmed.

FFmpeg 2.8.x prior to 2.8.12, 3.0.x prior to 3.0.8, 3.1.x prior to 3.1.8, 3.2.x prior to 3.2.5, and 3.3.x prior to 3.3.1 are vulnerable.

Information

Bugtraq ID: 99323
Class: Boundary Condition Error
CVE: CVE-2017-9996

Remote: Yes
Local: No
Published: Jun 28 2017 12:00AM
Updated: Jun 28 2017 12:00AM
Credit: The vendor reported this issue.
Vulnerable: FFmpeg FFmpeg 3.2.4
FFmpeg FFmpeg 3.2.2
FFmpeg FFmpeg 3.2
FFmpeg FFmpeg 3.1.7
FFmpeg FFmpeg 3.1.6
FFmpeg FFmpeg 3.1.2
FFmpeg FFmpeg 3.1.1
FFmpeg FFmpeg 3.1
FFmpeg FFmpeg 3.0.7
FFmpeg FFmpeg 3.0.5
FFmpeg FFmpeg 3.0
FFmpeg FFmpeg 2.8.11
FFmpeg FFmpeg 2.8.10
FFmpeg FFmpeg 2.8.5
FFmpeg FFmpeg 2.8.4
FFmpeg FFmpeg 2.8.3
FFmpeg FFmpeg 2.8.2
FFmpeg FFmpeg 2.8.1
FFmpeg FFmpeg 2.8
FFmpeg FFmpeg 3.3.0
FFmpeg FFmpeg 3.1.4
FFmpeg FFmpeg 3.1.3
FFmpeg FFmpeg 3.0.4
FFmpeg FFmpeg 3.0.3
FFmpeg FFmpeg 2.8.9
FFmpeg FFmpeg 2.8.8
FFmpeg FFmpeg 2.8.6


Not Vulnerable: FFmpeg FFmpeg 3.3.1
FFmpeg FFmpeg 3.2.5
FFmpeg FFmpeg 3.1.8
FFmpeg FFmpeg 3.0.8
FFmpeg FFmpeg 2.8.12


Exploit


The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.


Related Posts