Input validation error in FFmpeg

#VU18320 Input validation error in FFmpeg

Published: 2019-04-19

Vulnerability identifier: #VU18320

Vulnerability risk: Low

CVSSv3.1: 3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-9718

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
FFmpeg
Universal components / Libraries / Libraries used by multiple products

Vendor: ffmpeg.sourceforge.net

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the subtitle decoder in ff_htmlmarkup_to_ass() function in libavcodec/htmlsubtitles.c when processing video files in Matroska format. A remote attacker can create a specially crafted video file, pass it to the affected application and consume all available CPU resources.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

FFmpeg: 4.1

External links
http://www.securityfocus.com/bid/107382
http://git.ffmpeg.org/gitweb/ffmpeg.git/commit/1f00c97bc3475c477f3c468cf2d924d5761d0982

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in ffmpeg (Alpine package)

Ubuntu update for FFmpeg

Multiple vulnerabilities in FFmpeg