CVE-2022-2566 - OpenCVE

A heap out-of-bounds memory write exists in FFMPEG since version 5.1. The size calculation in `build_open_gop_key_points()` goes through all entries in the loop and adds `sc->ctts_data[i].count` to `sc->sample_offsets_count`. This can lead to an integer overflow resulting in a small allocation with `av_calloc()`. An attacker can cause remote code execution via a malicious mp4 file. We recommend upgrading past commit c953baa084607dd1d84c3bfcce3cf6a87c3e6e05

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ffmpeg	Ffmpeg

Configuration 1 [-]

cpe:2.3:a:ffmpeg:ffmpeg:5.1:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/FFmpeg/FFmpeg/commit/c953baa084607dd1d84c3bfcce3cf6a87c3e6e05

History

No history.

MITRE

Status: PUBLISHED

Assigner: Google

Published: 2022-09-23T11:10:14.367527Z

Updated: 2024-09-17T03:53:34.207Z

Reserved: 2022-07-28T00:00:00

Link: CVE-2022-2566

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-09-23T12:15:10.103

Modified: 2023-06-27T20:44:29.407

Link: CVE-2022-2566

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "FFMPEG", "vendor": "FFMPEG", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "5.1", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "ab77b878f1205225c6de1370fb0e998dbcc8bc69", "versionType": "custom"}, {"lessThan": "c953baa084607dd1d84c3bfcce3cf6a87c3e6e05", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2022-08-27T00:00:00", "descriptions": [{"lang": "en", "value": "A heap out-of-bounds memory write exists in FFMPEG since version 5.1. The size calculation in `build_open_gop_key_points()` goes through all entries in the loop and adds `sc->ctts_data[i].count` to `sc->sample_offsets_count`. This can lead to an integer overflow resulting in a small allocation with `av_calloc()`. An attacker can cause remote code execution via a malicious mp4 file. We recommend upgrading past commit c953baa084607dd1d84c3bfcce3cf6a87c3e6e05"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "description": "CWE-122 Heap-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-27T15:30:12", "orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/FFmpeg/FFmpeg/commit/c953baa084607dd1d84c3bfcce3cf6a87c3e6e05"}], "source": {"discovery": "INTERNAL"}, "title": "Heap-memory write in FFMPEG", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@google.com", "DATE_PUBLIC": "2022-08-27T22:00:00.000Z", "ID": "CVE-2022-2566", "STATE": "PUBLIC", "TITLE": "Heap-memory write in FFMPEG"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "FFMPEG", "version": {"version_data": [{"version_affected": ">=", "version_value": "5.1"}, {"version_affected": ">=", "version_value": "ab77b878f1205225c6de1370fb0e998dbcc8bc69"}, {"version_affected": "<", "version_value": "c953baa084607dd1d84c3bfcce3cf6a87c3e6e05"}]}}]}, "vendor_name": "FFMPEG"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A heap out-of-bounds memory write exists in FFMPEG since version 5.1. The size calculation in `build_open_gop_key_points()` goes through all entries in the loop and adds `sc->ctts_data[i].count` to `sc->sample_offsets_count`. This can lead to an integer overflow resulting in a small allocation with `av_calloc()`. An attacker can cause remote code execution via a malicious mp4 file. We recommend upgrading past commit c953baa084607dd1d84c3bfcce3cf6a87c3e6e05"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-122 Heap-based Buffer Overflow"}]}]}, "references": {"reference_data": [{"name": "https://github.com/FFmpeg/FFmpeg/commit/c953baa084607dd1d84c3bfcce3cf6a87c3e6e05", "refsource": "MISC", "url": "https://github.com/FFmpeg/FFmpeg/commit/c953baa084607dd1d84c3bfcce3cf6a87c3e6e05"}]}, "source": {"discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:39:07.996Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/FFmpeg/FFmpeg/commit/c953baa084607dd1d84c3bfcce3cf6a87c3e6e05"}]}]}, "cveMetadata": {"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "assignerShortName": "Google", "cveId": "CVE-2022-2566", "datePublished": "2022-09-23T11:10:14.367527Z", "dateReserved": "2022-07-28T00:00:00", "dateUpdated": "2024-09-17T03:53:34.207Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ffmpeg:ffmpeg:5.1:*:*:*:*:*:*:*", "matchCriteriaId": "B9105334-E041-4B8A-8EF2-79FBC94391F1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A heap out-of-bounds memory write exists in FFMPEG since version 5.1. The size calculation in `build_open_gop_key_points()` goes through all entries in the loop and adds `sc->ctts_data[i].count` to `sc->sample_offsets_count`. This can lead to an integer overflow resulting in a small allocation with `av_calloc()`. An attacker can cause remote code execution via a malicious mp4 file. We recommend upgrading past commit c953baa084607dd1d84c3bfcce3cf6a87c3e6e05"}, {"lang": "es", "value": "Existe una escritura de memoria fuera de los l\u00edmites del mont\u00f3n en FFMPEG desde la versi\u00f3n 5.1. El c\u00e1lculo del tama\u00f1o en `build_open_gop_key_points()` recorre todas las entradas del bucle y a\u00f1ade `sc->ctts_data[i].count` a `sc->sample_offsets_count`. Esto puede conducir a un desbordamiento de enteros que resulta en una peque\u00f1a asignaci\u00f3n con `av_calloc()`. Un atacante puede provocar la ejecuci\u00f3n remota de c\u00f3digo a trav\u00e9s de un archivo mp4 malicioso. Recomendamos actualizar el commit c953baa084607dd1d84c3bfcce3cf6a87c3e6e05"}], "id": "CVE-2022-2566", "lastModified": "2023-06-27T20:44:29.407", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2022-09-23T12:15:10.103", "references": [{"source": "cve-coordination@google.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/FFmpeg/FFmpeg/commit/c953baa084607dd1d84c3bfcce3cf6a87c3e6e05"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-122"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}