#VU32151 Buffer overflow in FFmpeg - CVE-2016-7562

Cybersecurity Help s.r.o.

Published: 2016-12-23 | Updated: 2020-07-28

Vulnerability identifier: #VU32151

Vulnerability risk: Low

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-7562

CWE-ID: CWE-119

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
FFmpeg
Universal components / Libraries / Libraries used by multiple products

Vendor: ffmpeg.sourceforge.net

Description

The vulnerability allows a local non-authenticated attacker to perform a denial of service (DoS) attack.

The ff_draw_pc_font function in libavcodec/cga_data.c in FFmpeg before 3.1.4 allows remote attackers to cause a denial of service (buffer overflow) via a crafted AVI file.

Mitigation
Install update from vendor's website.

Vulnerable software versions

FFmpeg: 3.1.0 - 3.1.3

External links
https://www.openwall.com/lists/oss-security/2016/10/08/1
https://www.securityfocus.com/bid/94835
https://security.gentoo.org/glsa/201701-71

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Buffer overflow in ffmpeg (Alpine package)

Gentoo update for FFmpeg

Buffer overflow in ffmpeg.sourceforge.net FFmpeg