A vulnerability has been found in FFmpeg 1.0/1.0.1 (Multimedia Processing Software) and classified as problematic. This vulnerability affects the function ff_ass_split_override_codes. The manipulation with an unknown input leads to a null pointer dereference vulnerability. The CWE definition for the vulnerability is CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. As an impact it is known to affect availability. CVE summarizes:

The ff_ass_split_override_codes function in libavcodec/ass_split.c in FFmpeg before 1.0.2 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a subtitle dialog without text.

The issue has been introduced in 09/28/2012. The weakness was shared 12/24/2013 as confirmed git commit (GIT Repository). The advisory is shared for download at git.videolan.org. This vulnerability was named CVE-2012-6615 since 12/24/2013. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are known technical details, but no exploit is available.

The vulnerability was handled as a non-public zero-day exploit for at least 452 days. During that time the estimated underground price was around $0-$5k.

Applying a patch is able to eliminate this problem. The bugfix is ready for download at git.videolan.org.

The entries 7503, 8655, 8656 and 8658 are related to this item.

Productinfo

Type

• Multimedia Processing Software

Name

• FFmpeg

Version

• 1.0
• 1.0.1

License

• open-source

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion