Denial Of Service (DoS) Via High CPU And Memory Consumption

2017-09-0402:07:12

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.002 Low

EPSS

Percentile

57.7%

JSON

FFmpeg is vulnerable to denial of service (DoS) attacks. These attacks are possible because FFmpeg does not check for an EOF (End of File) in the rl2_read_header() function of libavformat/rl2.c. This leads to high CPU and memory consumption when a malicious RL2 file with a large frame_count field in the header but without sufficient backing data is input.

CPENameOperatorVersion
ffmpegle2.8.3
ffmpegeq2.8.11-r0
ffmpegeq2.6.9-r0
ffmpegeq3.1.11-r1
ffmpegeq3.2.9-r0
ffmpegeq1.2.8-r0
ffmpegeq1.1.14-r0
ffmpegeq2.1.5-r1
ffmpegeq2.3.5-r0
ffmpegeq0.10.9-r0

Name	Operator	Version
ffmpeg	le	2.8.3
ffmpeg	eq	2.8.11-r0
ffmpeg	eq	2.6.9-r0
ffmpeg	eq	3.1.11-r1
ffmpeg	eq	3.2.9-r0
ffmpeg	eq	1.2.8-r0
ffmpeg	eq	1.1.14-r0
ffmpeg	eq	2.1.5-r1
ffmpeg	eq	2.3.5-r0
ffmpeg	eq	0.10.9-r0