FFmpeg Integer Underflow Vulnerability in DHAV File Parsing Leading to Heap Buffer Underflow

A vulnerability exists in FFmpeg when handling DHAV files due to an integer underflow in offset calculations. This flaw allows the duration to be read from before the allocated buffer's start, creating a heap buffer underflow. The issue arises with DHAV files larger than 1,048,576 bytes. The vulnerability was introduced in a commit that altered how durations are calculated and tags are scanned, and it has been fixed in version 8.0.

Impact

Exploitation of this vulnerability causes a heap buffer underflow, which can lead to memory corruption.

Reproduction

The vulnerability can be reproduced by compiling FFmpeg with AddressSanitizer enabled, which is necessary to detect the issue. After building FFmpeg, a DHAV file larger than 1MB can be created using a Python script. This file should include a 'DHAV' signature, a valid type byte, and an offset that, when processed by FFmpeg, will trigger the underflow by reading out-of-bounds data. Once the file is generated, it can be used as input for the FFmpeg command-line tool, which will process the file and expose the vulnerability.

Remediation

Users are advised to upgrade to FFmpeg version 8.0 or later.