FFmpeg 7.0+ Integer Overflow in FFmpeg cache: Protocol (CacheEntry::size)

[Ron E <ronaldjedgerson () gmail com>]

An integer overflow vulnerability exists in the FFmpeg cache: URL protocol
implementation. The CacheEntry structure uses a 32-bit signed integer to
store cache entry sizes (int size), but the cache layer can accumulate
cached data exceeding 2 GB. Once entry->size grows beyond INT_MAX and new
data is appended, an overflow occurs. This results in corrupted cache
metadata and can lead to logic errors, incorrect data reads, and possible
out-of-bounds access depending on downstream use. (FFmpeg 7.0-8.0)

*Impact:*

   -
   -

   Player/processing pipeline collapses with repeated write failures.
   -

   Reads/writes misaligned → corrupted output or playback.

   -

   If corrupted entry->size propagates, it can trick boundary checks
(in_block_pos
   < entry->size) into allowing invalid reads. That’s a potential
   memory-safety issue in downstream cache logic.

*Proof of Concept:*
ffmpeg -f lavfi -i anullsrc=r=44100:cl=stereo -t 150000 big_valid.wav
ASAN_OPTIONS=abort_on_error=1 \
UBSAN_OPTIONS=print_stacktrace=1 \
./ffmpeg -read_ahead_limit -1 -i "cache:big_valid.wav" -f null -


*Output:*libavformat/cache.c:151:21: runtime error: signed integer overflow:
2147450958 + 32768 cannot be represented in type 'int'
[cache @ 0x50d000000040] write in cache failedXXx
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/