| Titre | FFmpeg git master stack-buffer-overflow |
|---|
| Description | A stack buffer overflow vulnerability was discovered in FFmpeg's AAC encoder implementation. The vulnerability exists in the ff_aac_search_for_tns function within libavcodec/aacenc_tns.c (line 204). When encoding audio with specific AAC parameters (aac_pred true and profile:a aac_low), the function attempts to read 4 bytes at an offset that exceeds the bounds of the 'en' stack buffer, which is only 8 bytes in size (allocated at line 183).
Technical Impact:
- The vulnerability leads to a stack buffer overflow when reading memory 4 bytes beyond the allocated buffer
- This could potentially be exploited to cause memory corruption or program crashes
- In certain scenarios, this might lead to arbitrary code execution
The issue can be reproduced by:
1. Building FFmpeg from the main branch with Address Sanitizer enabled
2. Processing a specially crafted input file with the following FFmpeg command:
./ffmpeg -i [input_file] -aac_pred true -profile:a aac_low output.mpd
The vulnerability was confirmed using AddressSanitizer, which detected the buffer overflow during the execution of ff_aac_search_for_tns().
Affected Component: FFmpeg AAC encoder (libavcodec/aacenc_tns.c)
Affected Function: ff_aac_search_for_tns
Affected Version: FFmpeg main branch (as of discovery date)
Attack Vector: Processing a specially crafted audio file
FFmpeg user: 0x20z |
|---|
| La source | ⚠️ https://trac.ffmpeg.org/ticket/11418#comment:3 |
|---|
| Utilisateur | 0x20z (UID 81279) |
|---|
| Soumission | 08/02/2025 09:05 (il y a 1 Année) |
|---|
| Modérer | 22/02/2025 23:10 (15 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 296589 [FFmpeg jusqu’à 7.1 AAC Encoder libavcodec/aacenc_tns.c ff_aac_search_for_tns buffer overflow] |
|---|
| Points | 20 |
|---|