FFMpeg/libavcodec/zmbvenc.c:97:30 Out-of-bounds Read Vulnerability

Summary

block_cmp() in libavcodec/zmbvenc.c in FFmpeg 4.1.3 has a heap-based buffer over-read.

Credit:

The information has been provided by  Suhwan

The original article can be found at:

https://trac.ffmpeg.org/ticket/7980


Details

There’s a heap-buffer-overflow ffmpeg/libavcodec/zmbvenc.c:97:30 in block_cmp due to null pointer or undefined-behavior at libavformat/nutenc.c:794:27.

Proof Of Concept:

input file: tmp.webm , output file: tmp_.nut
% ffmpeg_g -y -r 3 -i tmp.webm -map 0 -c:v zmbv -c:s adpcm_ms -disposition:a:86 vc2 -disposition:s prores_ks -vframes 52 -r 8 -ar 22050 -b:v 928 -strict 2 tmp_.nut

ffmpeg version : N-94137-g89b96900fa Copyright (c) 2000-2019 the FFmpeg developers

built with clang-9, clang-asan option.



Vulnerable Systems:

FFmpeg 4.1.3

CVE Information:

CVE-2019-13312

Disclosure Timeline:
Published Date:07/04/2019