FFmpeg 7.0+ Integer Overflow in FFmpeg yuvcmp Tool Leads to Out-of-Bounds Allocation

[Ron E <ronaldjedgerson () gmail com>]

The FFmpeg tools/yuvcmp utility is vulnerable to an integer overflow when
large width and height parameters are supplied. The overflow occurs during
buffer size calculations (width * height) leading to incorrect allocation
sizes and subsequent memory corruption. An attacker controlling input
dimensions can trigger large or invalid memory allocations, leading to
denial of service (DoS), memory exhaustion, or potential heap corruption.
(FFmpeg 7.0-8.0)

*Impact:*

   -

   DoS via crash on allocation failure.
   -

   Potential heap overflow / OOM condition if overflow results in
   undersized allocations followed by large reads.

*Proof of Concept:*
./yuvcmp file1.yuv file2.yuv 70000 70000 pixelcmp


*Output:*yuvcmp.c:37:22: runtime error: signed integer overflow: 70000 *
70000 cannot be represented in type 'int'
==ERROR: AddressSanitizer: requested allocation size ... exceeds maximum
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/