CVE-2022-2566 - OpenCVE

A heap out-of-bounds memory write exists in FFMPEG since version 5.1. The size calculation in `build_open_gop_key_points()` goes through all entries in the loop and adds `sc->ctts_data[i].count` to `sc->sample_offsets_count`. This can lead to an integer overflow resulting in a small allocation with `av_calloc()`. An attacker can cause remote code execution via a malicious mp4 file. We recommend upgrading past commit c953baa084607dd1d84c3bfcce3cf6a87c3e6e05

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Ffmpeg	Ffmpeg

Configuration 1 [-]

cpe:2.3:a:ffmpeg:ffmpeg:5.1:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/FFmpeg/FFmpeg/commit/c953baa084607dd1d84c3bfcce3cf6a87c3e6e05	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Google

Published: 2022-08-27T00:00:00

Updated: 2022-09-27T15:30:12

Reserved: 2022-07-28T00:00:00

Link: CVE-2022-2566

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-09-23T12:15:10.103

Modified: 2023-06-27T20:44:29.407

Link: CVE-2022-2566

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "FFMPEG", "vendor": "FFMPEG", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "5.1", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "ab77b878f1205225c6de1370fb0e998dbcc8bc69", "versionType": "custom"}, {"lessThan": "c953baa084607dd1d84c3bfcce3cf6a87c3e6e05", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2022-08-27T00:00:00", "descriptions": [{"lang": "en", "value": "A heap out-of-bounds memory write exists in FFMPEG since version 5.1. The size calculation in `build_open_gop_key_points()` goes through all entries in the loop and adds `sc->ctts_data[i].count` to `sc->sample_offsets_count`. This can lead to an integer overflow resulting in a small allocation with `av_calloc()`. An attacker can cause remote code execution via a malicious mp4 file. We recommend upgrading past commit c953baa084607dd1d84c3bfcce3cf6a87c3e6e05"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "description": "CWE-122 Heap-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-27T15:30:12", "orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/FFmpeg/FFmpeg/commit/c953baa084607dd1d84c3bfcce3cf6a87c3e6e05"}], "source": {"discovery": "INTERNAL"}, "title": "Heap-memory write in FFMPEG", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@google.com", "DATE_PUBLIC": "2022-08-27T22:00:00.000Z", "ID": "CVE-2022-2566", "STATE": "PUBLIC", "TITLE": "Heap-memory write in FFMPEG"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "FFMPEG", "version": {"version_data": [{"version_affected": ">=", "version_value": "5.1"}, {"version_affected": ">=", "version_value": "ab77b878f1205225c6de1370fb0e998dbcc8bc69"}, {"version_affected": "<", "version_value": "c953baa084607dd1d84c3bfcce3cf6a87c3e6e05"}]}}]}, "vendor_name": "FFMPEG"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A heap out-of-bounds memory write exists in FFMPEG since version 5.1. The size calculation in `build_open_gop_key_points()` goes through all entries in the loop and adds `sc->ctts_data[i].count` to `sc->sample_offsets_count`. This can lead to an integer overflow resulting in a small allocation with `av_calloc()`. An attacker can cause remote code execution via a malicious mp4 file. We recommend upgrading past commit c953baa084607dd1d84c3bfcce3cf6a87c3e6e05"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-122 Heap-based Buffer Overflow"}]}]}, "references": {"reference_data": [{"name": "https://github.com/FFmpeg/FFmpeg/commit/c953baa084607dd1d84c3bfcce3cf6a87c3e6e05", "refsource": "MISC", "url": "https://github.com/FFmpeg/FFmpeg/commit/c953baa084607dd1d84c3bfcce3cf6a87c3e6e05"}]}, "source": {"discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "assignerShortName": "Google", "cveId": "CVE-2022-2566", "datePublished": "2022-08-27T00:00:00", "dateReserved": "2022-07-28T00:00:00", "dateUpdated": "2022-09-27T15:30:12", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ffmpeg:ffmpeg:5.1:*:*:*:*:*:*:*", "matchCriteriaId": "B9105334-E041-4B8A-8EF2-79FBC94391F1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A heap out-of-bounds memory write exists in FFMPEG since version 5.1. The size calculation in `build_open_gop_key_points()` goes through all entries in the loop and adds `sc->ctts_data[i].count` to `sc->sample_offsets_count`. This can lead to an integer overflow resulting in a small allocation with `av_calloc()`. An attacker can cause remote code execution via a malicious mp4 file. We recommend upgrading past commit c953baa084607dd1d84c3bfcce3cf6a87c3e6e05"}, {"lang": "es", "value": "Existe una escritura de memoria fuera de los l\u00edmites del mont\u00f3n en FFMPEG desde la versi\u00f3n 5.1. El c\u00e1lculo del tama\u00f1o en `build_open_gop_key_points()` recorre todas las entradas del bucle y a\u00f1ade `sc->ctts_data[i].count` a `sc->sample_offsets_count`. Esto puede conducir a un desbordamiento de enteros que resulta en una peque\u00f1a asignaci\u00f3n con `av_calloc()`. Un atacante puede provocar la ejecuci\u00f3n remota de c\u00f3digo a trav\u00e9s de un archivo mp4 malicioso. Recomendamos actualizar el commit c953baa084607dd1d84c3bfcce3cf6a87c3e6e05"}], "id": "CVE-2022-2566", "lastModified": "2023-06-27T20:44:29.407", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2022-09-23T12:15:10.103", "references": [{"source": "cve-coordination@google.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/FFmpeg/FFmpeg/commit/c953baa084607dd1d84c3bfcce3cf6a87c3e6e05"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-122"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}