Integer underflow in the mov_read_default function in libavformat/mov.c in FFmpeg before 2.4.6 allows remote attackers to obtain sensitive information from heap and/or stack memory via a crafted MP4 file.
Weakness
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ffmpeg | Ffmpeg | * | 2.4.6 (excluding) |
| Ffmpeg | Ubuntu | zesty | * |
| Libav | Ubuntu | esm-infra-legacy/trusty | * |
| Libav | Ubuntu | trusty | * |
| Libav | Ubuntu | trusty/esm | * |
| Mplayer | Ubuntu | artful | * |
| Mplayer | Ubuntu | upstream | * |
| Mplayer | Ubuntu | zesty | * |
| Vlc | Ubuntu | artful | * |
| Vlc | Ubuntu | zesty | * |
References
- http://git.videolan.org/?p=ffmpeg.git%3Ba=commit%3Bh=3ebd76a9c57558e284e94da367dd23b435e6a6d0
- https://bugs.chromium.org/p/chromium/issues/detail?id=444546
- https://github.com/FFmpeg/FFmpeg/blob/n2.4.6/Changelog
- http://git.videolan.org/?p=ffmpeg.git%3Ba=commit%3Bh=3ebd76a9c57558e284e94da367dd23b435e6a6d0
- https://bugs.chromium.org/p/chromium/issues/detail?id=444546
- https://github.com/FFmpeg/FFmpeg/blob/n2.4.6/Changelog