CVE-2017-14170
MEDIUMFFmpeg 2.4-3.3.3 - Denial of Service via Crafted MXF File
Title source: llmDescription
In libavformat/mxfdec.c in FFmpeg 3.3.3 -> 2.4, a DoS in mxf_read_index_entry_array() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted MXF file, which claims a large "nb_index_entries" field in the header but does not contain sufficient backing data, is provided, the loop would consume huge CPU resources, since there is no EOF check inside the loop. Moreover, this big loop can be invoked multiple times if there is more than one applicable data segment in the crafted MXF file.
References (5)
Core 5
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/FFmpeg/FFmpeg/commit/900f39692ca0337a98a7cf047e4e2611071810c2
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/100700
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2017/dsa-3996
Patch x_refsource_misc
https://github.com/FFmpeg/FFmpeg/commit/f173cdfe669556aa92857adafe60cbe5f2aa1210
Scores
CVSS v3
6.5
EPSS
0.0177
EPSS Percentile
75.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Details
CWE
CWE-834
Status
published
Products (1)
ffmpeg/ffmpeg
3.3.3
Published
Sep 07, 2017
Tracked Since
Feb 18, 2026