Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

FFmpeg 7.0+ Integer Overflow in UDP Protocol Handler (fifo_size option)

From: Ron E <ronaldjedgerson () gmail com>
Date: Sun, 7 Sep 2025 02:43:02 -0400
A signed integer overflow exists in FFmpeg’s udp.c implementation when
parsing the fifo_size option from a user-supplied UDP URL. The overflow
occurs during multiplication, which is used to compute the size of the
circular receive buffer. This can result in undefined behavior, allocation
failures, or potentially memory corruption depending on compiler
optimizations and downstream usage. (FFmpeg 7.0-8.0))
*Impact:*

   -

   Denial of Service (allocation failure, runtime crash).
   -

   Heap buffer overflow if the wrapped value allocates a smaller buffer
   than required but is later written into with the intended (larger) size.
   -

   Severity depends on compiler behavior and downstream allocations.



*Proof of Concept:*./ffmpeg -i udp://127.0.0.1:1234?fifo_size=2147483647 -f
null -


*Output:*libavformat/udp.c:760:29: runtime error: signed integer overflow:
2147483647 * 188 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libavformat/udp.c:760:29
[in#0 @ 0x512000000040] Error opening input: Cannot allocate memory
Error opening input file udp://127.0.0.1:1234?fifo_size=2147483647.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: