A vulnerability classified as problematic has been found in FFmpeg 2.0. This affects the function add_yblock
of the file libavcodec/snow.h. The manipulation leads to memory corruption. The CWE definition for the vulnerability is CWE-119. The issue has been introduced in 07/11/2013. The weakness was presented 02/16/2014 by Mateusz Jurczyk and Gynvael Coldwind (j00ru) with Google Security Team as avcodec/snow: split block clipping checks as GIT Commit (GIT Repository). The advisory is shared at git.videolan.org.
This vulnerability is uniquely identified as CVE-2014-125009. It is possible to initiate the attack remotely. Technical details are available. There is no exploit available. The price for an exploit might be around USD $0-$5k at the moment.
The vulnerability was handled as a non-public zero-day exploit for at least 220 days. We expect the 0-day to have been worth approximately $0-$5k.
The bugfix is ready for download at git.videolan.org. It is recommended to apply a patch to fix this issue. A possible mitigation has been published even before and not after the disclosure of the vulnerability.
The vulnerability is also documented other vulnerability databases: SecurityFocus (BID 65671), X-Force (91258) and Secunia (SA57066).