
Full Disclosure mailing list archives
FFmpeg 7.0+ Integer Overflow in FFmpeg yuvcmp Tool Leads to Out-of-Bounds Allocation
From: Ron E <ronaldjedgerson () gmail com>
Date: Sun, 7 Sep 2025 01:35:50 -0400
The FFmpeg tools/yuvcmp utility is vulnerable to an integer overflow when large width and height parameters are supplied. The overflow occurs during buffer size calculations (width * height) leading to incorrect allocation sizes and subsequent memory corruption. An attacker controlling input dimensions can trigger large or invalid memory allocations, leading to denial of service (DoS), memory exhaustion, or potential heap corruption. (FFmpeg 7.0-8.0) *Impact:* - DoS via crash on allocation failure. - Potential heap overflow / OOM condition if overflow results in undersized allocations followed by large reads. *Proof of Concept:* ./yuvcmp file1.yuv file2.yuv 70000 70000 pixelcmp *Output:*yuvcmp.c:37:22: runtime error: signed integer overflow: 70000 * 70000 cannot be represented in type 'int' ==ERROR: AddressSanitizer: requested allocation size ... exceeds maximum _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- FFmpeg 7.0+ Integer Overflow in FFmpeg yuvcmp Tool Leads to Out-of-Bounds Allocation Ron E (Sep 08)