CVE CyberSecurity Database News

CVE-2021-28429 - Integer Overflow in FFmpeg’s av_timecode_make_string Function—How Malicious .mov Files Could Crash Your Apps

Poster -

FFmpeg is a name you probably hear a lot if you work with video or audio processing on Linux or even on some Windows or macOS systems. It powers all sorts of programs, from video players to editors and game recorders. But, like any major piece of software, FFmpeg is not immune to bugs. In this post, we’ll examine a specific security vulnerability, CVE-2021-28429, found in FFmpeg version 4.3.2. We’ll break down what an “integer overflow” really is, how this bug can be triggered, and what it means for your system’s safety. Plus, we’ll walk through a simple code example, and talk about how someone could exploit it.

What is CVE-2021-28429?

CVE-2021-28429 is a vulnerability in the av_timecode_make_string function of FFmpeg’s libavutil/timecode.c file (in version 4.3.2). This vulnerability occurs due to an integer overflow. A local attacker can exploit this issue by using a specially crafted .mov video file, which can cause FFmpeg or any program using it to crash—resulting in a Denial of Service (DoS).

Here’s the original NVD entry:  
https://nvd.nist.gov/vuln/detail/CVE-2021-28429

Official FFmpeg bug discussion:  
https://trac.ffmpeg.org/ticket/9193  
https://github.com/FFmpeg/FFmpeg/commit/3beeeafa60485e92cb955d7371ae636f77c870

What’s an Integer Overflow?

An *integer overflow* happens when a calculation tries to create a numeric value that is too big (or sometimes too small) to be stored in the allowed number of bytes for that data type. Think of how your car’s odometer “wraps around” after hitting the max value. In code, this can mess up logic, break applications, or open the door to attackers.

The Vulnerable Code

The bug is in the av_timecode_make_string function, which tries to create a string representation of a video timecode (something like "00:10:24:15"). To do this, the code allocates a buffer to hold the output string—but it doesn’t always check if the requested buffer size multiplied by the frame count will overflow the numeric limits!

Here’s a simplified version of the problematic code from timecode.c:

char *av_timecode_make_string(const AVTimecode *tc, char *buf, int framenum) {
    int hh, mm, ss, ff;
    // ... initialization

    int frame_count = tc->fps;         // Get frame rate (could be attacker controlled)
    int size = frame_count * sizeof(char);  // Potential for integer overflow here!

    buf = av_malloc(size);
    if (!buf)
        return NULL;

    // ... further string work
}

If frame_count is a large number (say, stored in the video file), frame_count * sizeof(char) can overflow, causing the buffer to be too small or even zero bytes! Later writes into this buffer can then corrupt memory or crash the application.

How Can This Be Exploited?

This vulnerability is ripe for exploitation via a malformed .mov file (a popular video container format). An attacker can create a .mov file with malicious parameters—specifically, a very high frame rate in the metadata.

Here is a minimal PoC in C that mimics this overflow (for educational purposes)

#include <stdio.h>
#include <stdlib.h>
#include <limits.h>

int main() {
    unsigned int frame_count = UINT_MAX / 2 + 2; // Large number to force overflow
    size_t size = frame_count * sizeof(char);
    printf("Allocated size: %zu\n", size);

    char *buf = (char *)malloc(size);
    if (!buf) {
        printf("Failed to allocate buffer\n");
        return 1;
    }

    // Simulating a write that goes beyond buffer
    for (unsigned int i = ; i < frame_count; i++) {
        buf[i] = 'A'; // Possible crash or memory corruption here
    }

    free(buf);
    return ;
}

Running this code may crash your program or operating system!
*Never run PoC code on a production or valuable system.*

Real-World Impact

- Local attack only: The attacker must convince someone to open a malicious .mov file (via email, download, etc.).
- Applications at risk: Any program that uses FFmpeg 4.3.2’s vulnerable function—classic cases are VLC, MPV, OpenShot, and many more.
- Denial of Service: The most common result is a crash, but heap corruption also can open the door to code execution, depending on the context.

How Was It Fixed?

FFmpeg maintainers fixed the bug by *checking for arithmetic overflows* before allocating the buffer.  
See the commit:  
https://github.com/FFmpeg/FFmpeg/commit/3beeeafa60485e92cb955d7371ae636f77c870

How Can You Protect Yourself?

1. Upgrade FFmpeg: If you maintain servers, apps, or scripts that use FFmpeg 4.3.2, update to the latest version right now.
2. Don’t trust random video files: Browser plugins, email readers, and chat apps are all potential sources of untrusted content.

Summary

CVE-2021-28429 is a classic example of how subtle bugs in video processing tools can become security vulnerabilities. By exploiting an integer overflow in timecode string creation, attackers can crash apps that process certain crafted .mov files. The fix is easy—check your math before you allocate memory. Don’t be caught using an old FFmpeg: keep your code and applications updated!

Further reading

- CVE-2021-28429 on NIST NVD
- FFmpeg Trac: Ticket 9193
- FFmpeg official fix commit

Timeline

Published on: 08/11/2023 14:15:00 UTC
Last modified on: 08/18/2023 14:55:00 UTC