FFmpeg is a leading open-source multimedia framework used worldwide for video, audio, and other multimedia processing. Recently, a critical vulnerability—CVE-2024-35366—was reported, affecting FFmpeg version 6.1.1. This bug lives in the parse_options function inside the sbgdec.c file of the libavformat module and can cause an integer overflow. This long-read post will explain the root of the problem, show example code, link to key references, and discuss potential exploitation.
What is CVE-2024-35366?
CVE-2024-35366 is an integer overflow vulnerability in FFmpeg n6.1.1, specifically in the code that parses so-called SBG (Synthetic Background) demuxer options. By sending a specially crafted file with negative duration values, attackers can bypass input checks. This may result in memory corruption, crashes, or even execution of code, depending on the environment.
The flaw lurks in the parse_options function in sbgdec.c
- Location: libavformat/sbgdec.c
Vulnerable Function: parse_options
- Root Issue: The function does not check if option values like duration are negative or too large, so it allows negative numbers, which can wrap around when stored as an unsigned integer.
Let’s look at the simplified vulnerable code
// --- sbgdec.c snippet ---
static int parse_options(SBGContext *s, const char *opts)
{
int duration = ;
// ... (parsing logic)
if (strstr(opts, "duration=") == opts) {
duration = atoi(opts + strlen("duration="));
// VULNERABILITY: No bounds or negativity check here!
s->entry_duration = duration * 100; // milliseconds
}
// ...
return ;
}
Why is this a problem?
If duration is negative, multiplying will result in large positive or negative values due to integer overflow. Later uses of s->entry_duration assume it’s non-negative, leading to unsafe behavior, buffer miscalculations, even memory corruption.
Let’s see how an attacker might write a malicious SBG file
[options]
duration=-99999999
s->entry_duration = -99,999,999 * 100 = -99,999,999,000
If the code later allocates or processes buffers based on this number, big trouble: it may allocate small buffers for huge copies, enabling buffer overflow or even code execution, if not protected.
Let’s simulate the vulnerable parsing in C
#include <stdio.h>
#include <stdlib.h>
int main() {
int duration;
char *input = "duration=-2147483"; // Near INT_MIN / 100
// Parse the option (simulate vulnerable code)
sscanf(input, "duration=%d", &duration);
int entry_duration = duration * 100;
printf("Parsed duration: %d\n", duration);
printf("Entry duration: %d\n", entry_duration);
}
Output
Parsed duration: -2147483
Entry duration: -214748300
Such values are clearly insane for a “duration.” But the code accepts them. With creative SBG files, attackers can cause all sorts of chaos.
Denial of Service (DoS): Continual crashes can turn into DoS.
- Remote Code Execution: In some setups, if the corrupted buffer can control program flow, it can run malicious code.
- Supply Chain Impact: Any app or pipeline using vulnerable FFmpeg, even indirectly, can be attacked.
The correct solution is to check input values
if (duration <= || duration > MAX_ALLOWED_DURATION) {
return AVERROR(EINVAL);
}
// Now safe to assign
s->entry_duration = duration * 100;
Check official fix PRs and commits for updates.
References
- CVEs: CVE-2024-35366 (MITRE official)
- FFmpeg main repository
- SBG Documentation
- Relevant FFmpeg code
Conclusion
CVE-2024-35366 is a classic case of bad integer handling in FFmpeg’s libavformat, showing how the smallest check can prevent severe bugs. Recommendations:
Validate user inputs—always.
Stay safe, keep your software updated, question every input!
*This post is unique, distilled, and intended to keep the community ahead of threats. Share this with your team and help squash security bugs early!*
Timeline
Published on: 11/29/2024 20:15:19 UTC
Last modified on: 12/03/2024 14:15:20 UTC