A vulnerability was found in FFmpeg 2.0. It has been rated as critical. Affected by this issue is the function lag_decode_frame
. The manipulation leads to memory corruption. Using CWE to declare the problem leads to CWE-119. The issue has been introduced in 07/11/2013. The weakness was disclosed 02/06/2014 as lagarith: reallocate rgb_planes when needed as GIT Commit (GIT Repository). The advisory is available at git.videolan.org.
This vulnerability is handled as CVE-2014-125024. The attack may be launched remotely. Technical details are available. There is no exploit available. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment.
The vulnerability was handled as a non-public zero-day exploit for at least 210 days. As 0-day the estimated underground price was around $0-$5k.
The bugfix is ready for download at git.videolan.org. It is recommended to apply a patch to fix this issue. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented other vulnerability databases: X-Force (91082) and Secunia (SA56838).