Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

FFmpeg 7.0+ Integer Overflow in DSCP Option Handling of FFmpeg UDP Protocol

From: Ron E <ronaldjedgerson () gmail com>
Date: Sun, 7 Sep 2025 02:55:20 -0400
A vulnerability exists in the FFmpeg UDP protocol implementation (
libavformat/udp.c) where the dscp parameter is parsed from a URI and
left-shifted without bounds checking. Supplying a maximum 32-bit signed
integer (2147483647) triggers undefined behavior due to a left shift that
exceeds the representable range of int. This results in abnormal process
termination (DoS) and may lead to miscompiled logic or further memory
corruption depending on compiler optimizations. (FFmpeg 7.0-8.0)

*Impact:*

   -

   Crashes or aborts when parsing crafted input.
   -

   Although primarily DoS, undefined behavior can lead to logic
   miscompilation or corrupted socket options.


*Proof of Concept:*./ffmpeg -i udp://127.0.0.1:1234?dscp=2147483647

*Output:*
libavformat/udp.c:830:14: runtime error: left shift of 2147483647 by 2
places cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libavformat/udp.c:830:14 in
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: