Researcher details FFmpeg remote code execution (CVE-2022-2566) flaw

A security researcher from Google, Andy Nguyen released CVE-2022-2566 PoC exploit code for high FFmpeg heap out-of-bounds memory write vulnerability affecting FFMPEG since version 5.1.

FFmpeg is the leading multimedia framework, able to decode, encode, transcode, mux, demux, stream, filter and play pretty much anything that humans and machines have created.

FFmpeg could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow due to a heap out-of-bounds memory write in the size calculation in the build_open_gop_key_points() function. By persuading a victim to open a specially-crafted mp4 file, an attacker could exploit this vulnerability to execute arbitrary code on the system.

“A heap out-of-bounds memory write exists in FFMPEG since version 5.1. The size calculation in `build_open_gop_key_points()` goes through all entries in the loop and adds `sc->ctts_data[i].count` to `sc->sample_offsets_count`. This can lead to an integer overflow resulting in a small allocation with `av_calloc()`,” according to the MITRE.

The CVE-2022-2566 bug affects version 5.1 or commit ab77b878f1205225c6de1370fb0e998dbcc8bc69 was discovered in libavformat/mov.c.

Recently, Andy Nguyen publicly released the PoC code for this flaw on GitHub and published the analysis report. In light of the release of the PoC, users that use vulnerable FFmpeg versions are recommended to prioritize the patches (upgrading past commit c953baa084607dd1d84c3bfcce3cf6a87c3e6e05) to mitigate active exploitation attempts.