FFmpeg 2.0 mpeg4videodec.c decode_vol_header memory corruption
A vulnerability, which was classified as problematic, was found in FFmpeg 2.0. This affects the function decode_vol_header
of the file libavcodec/mpeg4videodec.c. The manipulation leads to memory corruption. The CWE definition for the vulnerability is CWE-119. The issue has been introduced in 07/11/2013. The weakness was published 02/20/2014 by Mateusz Jurczyk and Gynvael Coldwind with Google Security Team as avcodec/mpeg4videodec: Check for bitstream overread in decode_vol_header() as GIT Commit (GIT Repository). The advisory is shared at git.videolan.org.
This vulnerability is uniquely identified as CVE-2014-125005. It is possible to initiate the attack remotely. Technical details are available. There is no exploit available. The price for an exploit might be around USD $0-$5k at the moment.
The vulnerability was handled as a non-public zero-day exploit for at least 224 days. We expect the 0-day to have been worth approximately $0-$5k.
The bugfix is ready for download at git.videolan.org. It is recommended to apply a patch to fix this issue. A possible mitigation has been published before and not just after the disclosure of the vulnerability.
The vulnerability is also documented other vulnerability databases: X-Force (91658).