Michael Niedermayer

80 exploits Active since Nov 2013
CVE-2025-7700 WRITEUP MEDIUM WRITEUP
FFmpeg - Denial of Service via ALS Audio Decoder Memory Allocation Failure
A flaw was found in FFmpeg’s ALS audio decoder, where it does not properly check for memory allocation failures. This can cause the application to crash when processing certain malformed audio files. While it does not lead to data theft or system control, it can be used to disrupt services and cause a denial of service.
CVSS 5.3
CVE-2025-69693 WRITEUP MEDIUM WRITEUP
FFmpeg 8.0-8.0.1 - Memory Corruption
Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60dec.c). The quantization parameter (qp) validation at line 2267 only checks the lower bound (qp < 0) but is missing upper bound validation. The qp value can reach 65 (base value 63 from 6-bit frame header + offset +2 from read_qp_offset) while the rv60_qp_to_idx array has size 64 (valid indices 0-63). This results in out-of-bounds array access at lines 1554 (decode_cbp8), 1655 (decode_cbp16), and 1419/1421 (get_c4x4_set), potentially leading to memory disclosure or crash. A previous fix in commit 61cbcaf93f added validation only for intra frames. This vulnerability affects the released versions 8.0 (released 2025-08-22) and 8.0.1 (released 2025-11-20) and is fixed in git master commit 8abeb879df which will be included in FFmpeg 8.1.
CVSS 5.4
CVE-2025-10256 WRITEUP MEDIUM WRITEUP
FFmpeg 3.2-8.0 - Denial of Service via Firequalizer Filter NULL Pointer Dereference
A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer filter (libavfilter/af_firequalizer.c) due to a missing check on the return value of av_malloc_array() in the config_input() function. An attacker could exploit this by tricking a victim into processing a crafted media file with the Firequalizer filter enabled, causing the application to dereference a NULL pointer and crash, leading to denial of service.
CVSS 5.3
CVE-2013-4263 WRITEUP WRITEUP
FFmpeg < 2.0 - Heap-Based Buffer Overflow via Crafted Plane
libavfilter in FFmpeg before 2.0.1 has unspecified impact and remote vectors related to a crafted "plane," which triggers an out-of-bounds heap write.
CVE-2013-4264 WRITEUP WRITEUP
FFmpeg < 2.0.1 - Denial of Service via G2M4 Encoded File
The kempf_decode_tile function in libavcodec/g2meet.c in FFmpeg before 2.0.1 allows remote attackers to cause a denial of service (out-of-bounds heap write) via a G2M4 encoded file.
CVE-2013-4265 WRITEUP WRITEUP
FFmpeg < 2.0.1 - NULL Pointer Dereference via av_reallocp_array
The av_reallocp_array function in libavutil/mem.c in FFmpeg before 2.0.1 has an unspecified impact and remote vectors related to a "wrong return code" and a resultant NULL pointer dereference.
CVE-2015-3417 WRITEUP WRITEUP
FFmpeg < 2.3.6 - Use-After-Free in H.264 MP4 File Handling
Use-after-free vulnerability in the ff_h264_free_tables function in libavcodec/h264.c in FFmpeg before 2.3.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted H.264 data in an MP4 file, as demonstrated by an HTML VIDEO element that references H.264 data.
CVE-2016-8675 WRITEUP MEDIUM WRITEUP
Libav < 11.8 - Denial of Service via NULL Pointer Dereference in get_vlc2
The get_vlc2 function in get_bits.h in Libav before 11.9 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted mp3 file, possibly related to startcode sequences during m4v detection.
CVSS 5.5
CVE-2017-11399 WRITEUP HIGH WRITEUP
FFmpeg 2.4-3.3.2 - Out-of-bounds Read via Crafted APE File
Integer overflow in the ape_decode_frame function in libavcodec/apedec.c in FFmpeg 2.4 through 3.3.2 allows remote attackers to cause a denial of service (out-of-array access and application crash) or possibly have unspecified other impact via a crafted APE file.
CVSS 7.8
CVE-2017-11665 WRITEUP HIGH WRITEUP
FFmpeg 3.3.2 - Denial of Service via Crafted RTMP Stream
The ff_amf_get_field_value function in libavformat/rtmppkt.c in FFmpeg 3.3.2 allows remote RTMP servers to cause a denial of service (Segmentation Violation and application crash) via a crafted stream.
CVSS 7.5
CVE-2017-11719 WRITEUP HIGH WRITEUP
FFmpeg 3.0-3.3.2 - Out-of-bounds Read in DNxHD Decoder
The dnxhd_decode_header function in libavcodec/dnxhddec.c in FFmpeg 3.0 through 3.3.2 allows remote attackers to cause a denial of service (out-of-array access) or possibly have unspecified other impact via a crafted DNxHD file.
CVSS 7.8
CVE-2017-14055 WRITEUP MEDIUM WRITEUP
FFmpeg 3.3.3 - Denial of Service via Crafted MV File Header
In libavformat/mvdec.c in FFmpeg 3.3.3, a DoS in mv_read_header() due to lack of an EOF (End of File) check might cause huge CPU and memory consumption. When a crafted MV file, which claims a large "nb_frames" field in the header but does not contain sufficient backing data, is provided, the loop over the frames would consume huge CPU and memory resources, since there is no EOF check inside the loop.
CVSS 6.5
CVE-2017-14058 WRITEUP MEDIUM WRITEUP
FFmpeg 2.4 and 3.3.3 - Denial of Service via Infinite Loop in HLS Playlist Reload
In FFmpeg 2.4 and 3.3.3, the read_data function in libavformat/hls.c does not restrict reload attempts for an insufficient list, which allows remote attackers to cause a denial of service (infinite loop).
CVSS 6.5
CVE-2017-14222 WRITEUP MEDIUM WRITEUP
FFmpeg 3.3.3 - Denial of Service via Crafted MOV File in read_tfra()
In libavformat/mov.c in FFmpeg 3.3.3, a DoS in read_tfra() due to lack of an EOF (End of File) check might cause huge CPU and memory consumption. When a crafted MOV file, which claims a large "item_count" field in the header but does not contain sufficient backing data, is provided, the loop would consume huge CPU and memory resources, since there is no EOF check inside the loop.
CVSS 6.5
CVE-2017-14223 WRITEUP MEDIUM WRITEUP
FFmpeg - Denial of Service via ASF File with Large 'ict' Field
In libavformat/asfdec_f.c in FFmpeg 3.3.3, a DoS in asf_build_simple_index() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted ASF file, which claims a large "ict" field in the header but does not contain sufficient backing data, is provided, the for loop would consume huge CPU and memory resources, since there is no EOF check inside the loop.
CVSS 6.5
CVE-2017-14225 WRITEUP HIGH WRITEUP
FFmpeg 3.3.3 - NULL Pointer Dereference in av_color_primaries_name
The av_color_primaries_name function in libavutil/pixdesc.c in FFmpeg 3.3.3 may return a NULL pointer depending on a value contained in a file, but callers do not anticipate this, as demonstrated by the avcodec_string function in libavcodec/utils.c, leading to a NULL pointer dereference. (It is also conceivable that there is security relevance for a NULL pointer dereference in av_color_primaries_name calls within the ffprobe command-line program.)
CVSS 8.8
CVE-2017-14767 WRITEUP HIGH WRITEUP
FFmpeg < 3.3.3 - Heap Buffer Overflow via Empty sprop-parameter-sets in SDP File
The sdp_parse_fmtp_config_h264 function in libavformat/rtpdec_h264.c in FFmpeg before 3.3.4 mishandles empty sprop-parameter-sets values, which allows remote attackers to cause a denial of service (heap buffer overflow) or possibly have unspecified other impact via a crafted sdp file.
CVSS 8.8
CVE-2017-15672 WRITEUP HIGH WRITEUP
FFmpeg < 3.3.4 - Out-of-bounds Read in read_header Function
The read_header function in libavcodec/ffv1dec.c in FFmpeg 2.4 and 3.3.4 and possibly earlier allows remote attackers to have unspecified impact via a crafted MP4 file, which triggers an out-of-bounds read.
CVSS 8.8
CVE-2017-16803 WRITEUP HIGH WRITEUP
Libav < 11.11 and 12.x < 12.1 - Denial of Service via Smacker Stream Recursion
In Libav through 11.11 and 12.x through 12.1, the smacker_decode_tree function in libavcodec/smacker.c does not properly restrict tree recursion, which allows remote attackers to cause a denial of service (bitstream.c:build_table() out-of-bounds read and application crash) via a crafted Smacker stream.
CVSS 7.5
CVE-2017-17081 WRITEUP MEDIUM WRITEUP
FFmpeg 2.3 and 3.4 - Out-of-bounds Read in gmc_mmx Function
The gmc_mmx function in libavcodec/x86/mpegvideodsp.c in FFmpeg 2.3 and 3.4 does not properly validate widths and heights, which allows remote attackers to cause a denial of service (integer signedness error and out-of-array read) via a crafted MPEG file.
CVSS 6.5
CVE-2017-7862 WRITEUP CRITICAL WRITEUP
FFmpeg < 2.8.10 - Out-of-bounds Write in decode_frame Function
FFmpeg before 2017-02-07 has an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame function in libavcodec/pictordec.c.
CVSS 9.8
CVE-2017-7863 WRITEUP CRITICAL WRITEUP
FFmpeg < 2.8.10 - Out-of-bounds Write in PNG Decoder
FFmpeg before 2017-02-04 has an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame_common function in libavcodec/pngdec.c.
CVSS 9.8
CVE-2017-7865 WRITEUP CRITICAL WRITEUP
FFmpeg < 2.8.9 - Out-of-bounds Write via ipvideo_decode_block_opcode_0xA
FFmpeg before 2017-01-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the ipvideo_decode_block_opcode_0xA function in libavcodec/interplayvideo.c and the avcodec_align_dimensions2 function in libavcodec/utils.c.
CVSS 9.8
CVE-2017-7866 WRITEUP CRITICAL WRITEUP
FFmpeg < 2.8.9 - Out-of-bounds Write via decode_zbuf Function
FFmpeg before 2017-01-23 has an out-of-bounds write caused by a stack-based buffer overflow related to the decode_zbuf function in libavcodec/pngdec.c.
CVSS 9.8
CVE-2017-9990 WRITEUP HIGH WRITEUP
FFmpeg < 3.3 - Stack-based Buffer Overflow in color_string_to_rgba
Stack-based buffer overflow in the color_string_to_rgba function in libavcodec/xpmdec.c in FFmpeg 3.3 before 3.3.1 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file.
CVSS 8.8