FFmpeg 2.0 mpeg4videodec.c decode_vol_header memory corruption

A vulnerability, which was classified as problematic, was found in FFmpeg 2.0. This affects the function decode_vol_header of the file libavcodec/mpeg4videodec.c. The manipulation leads to memory corruption. The CWE definition for the vulnerability is CWE-119. The issue has been introduced in 07/11/2013. The weakness was published 02/20/2014 by Mateusz Jurczyk and Gynvael Coldwind with Google Security Team as avcodec/mpeg4videodec: Check for bitstream overread in decode_vol_header() as GIT Commit (GIT Repository). The advisory is shared at git.videolan.org. This vulnerability is uniquely identified as CVE-2014-125005. It is possible to initiate the attack remotely. Technical details are available. There is no exploit available. The price for an exploit might be around USD $0-$5k at the moment. The vulnerability was handled as a non-public zero-day exploit for at least 224 days. We expect the 0-day to have been worth approximately $0-$5k. The bugfix is ready for download at git.videolan.org. It is recommended to apply a patch to fix this issue. A possible mitigation has been published before and not just after the disclosure of the vulnerability. The vulnerability is also documented other vulnerability databases: X-Force (91658).

Field03/13/2014 15:2404/17/2019 08:2706/17/2022 23:20
nameFFmpegFFmpegFFmpeg
version2.02.02.0
filelibavcodec/mpeg4videodec.clibavcodec/mpeg4videodec.clibavcodec/mpeg4videodec.c
functiondecode_vol_headerdecode_vol_headerdecode_vol_header
introductiondate137350080013735008001373500800
risk111
cvss2_vuldb_basescore4.34.34.3
cvss2_vuldb_tempscore3.23.23.2
cvss2_vuldb_avNNN
cvss2_vuldb_acMMM
cvss2_vuldb_auNNN
cvss2_vuldb_ciNNN
cvss2_vuldb_iiNNN
cvss2_vuldb_aiPPP
cvss3_meta_basescore5.35.35.3
cvss3_meta_tempscore4.64.64.6
cvss3_vuldb_basescore5.35.35.3
cvss3_vuldb_tempscore4.64.64.6
date1392854400 (02/20/2014)1392854400 (02/20/2014)1392854400 (02/20/2014)
locationGIT RepositoryGIT RepositoryGIT Repository
typeGIT CommitGIT CommitGIT Commit
urlhttp://git.videolan.org/?p=ffmpeg.git;a=commit;h=3edc3b159503d512c919b3d5902f7026e961823ahttp://git.videolan.org/?p=ffmpeg.git;a=commit;h=3edc3b159503d512c919b3d5902f7026e961823ahttp://git.videolan.org/?p=ffmpeg.git;a=commit;h=3edc3b159503d512c919b3d5902f7026e961823a
identifieravcodec/mpeg4videodec: Check for bitstream overread in decode_vol_header()avcodec/mpeg4videodec: Check for bitstream overread in decode_vol_header()avcodec/mpeg4videodec: Check for bitstream overread in decode_vol_header()
person_nameMateusz Jurczyk/Gynvael ColdwindMateusz Jurczyk/Gynvael ColdwindMateusz Jurczyk/Gynvael Coldwind
person_websitehttp://www.google.comhttp://www.google.comhttp://www.google.com
company_nameGoogle Security TeamGoogle Security TeamGoogle Security Team
price_0day$0-$5k$0-$5k$0-$5k
namePatchPatchPatch
patch_urlhttp://git.videolan.org/?p=ffmpeg.git;a=commit;h=3edc3b159503d512c919b3d5902f7026e961823ahttp://git.videolan.org/?p=ffmpeg.git;a=commit;h=3edc3b159503d512c919b3d5902f7026e961823ahttp://git.videolan.org/?p=ffmpeg.git;a=commit;h=3edc3b159503d512c919b3d5902f7026e961823a
xforce916589165891658
seealso12589 12588 12587 12586 12584 12583 1258212589 12588 12587 12586 12584 12583 1258212589 12588 12587 12586 12584 12583 12582
cvss2_vuldb_eUUU
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_rcCCC
cvss3_vuldb_eUUU
cvss3_vuldb_rlOOO
cvss3_vuldb_rcCCC
0day_days224224224
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prNNN
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cNNN
cvss3_vuldb_iNNN
cvss3_vuldb_aLLL
typeMultimedia Processing SoftwareMultimedia Processing Software
xforce_titleFFmpeg decode_vol_header() denial of serviceFFmpeg decode_vol_header() denial of service
xforce_identifierffmpeg-decodevolheader-dosffmpeg-decodevolheader-dos
xforce_riskMedium RiskMedium RiskMedium Risk
cwe0119 (memory corruption)119 (memory corruption)
cveCVE-2014-125005
responsibleVulDB

Might our Artificial Intelligence support you?

Check our Alexa App!