rust-ffmpeg Integer Overflow Vulnerability in Vector Constructor Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in rust-ffmpeg version 0.3.0 (after commit 5ac0527). The issue arises from an integer overflow in the Vector::new constructor, where an unchecked cast of a usize parameter to c_int allows an attacker to cause a null pointer dereference. This occurs because the C function sws_allocVec() requires a non-negative length parameter, and the improper casting can lead to negative values being passed, violating the function's precondition.

Impact

Exploitation of this vulnerability causes a null pointer dereference, leading to a crash. However, such crashes can often be exploited to execute arbitrary code under certain conditions.

Reproduction

The vulnerability can be reproduced by calling the Vector::new method with a length value greater than i32::MAX. The unchecked cast wraps the value modulo 2^32, resulting in a negative c_int, which is then passed to sws_allocVec(). This violation of the C function's requirements creates a soundness issue in the Rust code, allowing safe operations to cause undefined behavior.

Remediation

The rust-ffmpeg maintainers have acknowledged the vulnerability, but no official patch is available. Users are advised to avoid using this library.