Bug 1112440 (CVE-2014-4610) - CVE-2014-4610 ffmpeg: av_lzo1x_decode() integer overflow
Summary: CVE-2014-4610 ffmpeg: av_lzo1x_decode() integer overflow
Alias: CVE-2014-4610
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1113866
Blocks: Embargoed1112414
TreeView+ depends on / blocked
Reported: 2014-06-24 00:56 UTC by Kurt Seifried
Modified: 2021-02-17 06:27 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-06-30 05:16:57 UTC

Attachments (Terms of Use)

Description Kurt Seifried 2014-06-24 00:56:28 UTC
Don A. Bailey of securitymouse.com reports:

Vulnerability Description
An integer overflow can occur when processing any variant of a "literal run"
in the av_lzo1x_decode function. Each of these three locations is 
subject to an integer overflow when processing zero bytes. 

Due to flaws in multiple functions within the libav code base, various 
checks can be bypassed that allow for corruption of precise locations in 

This issue is LAZARUS.4

Comment 1 Kurt Seifried 2014-06-24 01:32:48 UTC
Please note that gstreamer-plugins-good contains an embedded copy of lzo.c from ffmpeg:

commit c4912dac78c8d47e9c980ff74ceea667434ff764
Author: Sebastian Dröge <slomo>
Date:   Sat Aug 2 18:18:05 2008 +0000

    Decode the codec private data and following ContentEncoding if

    Original commit message from CVS:
    * configure.ac:
    * gst/matroska/Makefile.am:
    * gst/matroska/lzo.c: (get_byte), (get_len), (copy),
    (copy_backptr), (lzo1x_decode), (main):
    * gst/matroska/lzo.h:
    * gst/matroska/matroska-demux.c:
    (gst_matroska_decompress_data), (gst_matroska_decode_data),
    * gst/matroska/matroska-ids.h:
    Decode the codec private data and following ContentEncoding if
    Support bzip2, lzo and header stripped compression. For lzo use the
    ffmpeg lzo implementation as liblzo is GPL licensed.
    Fix zlib decompression.

Comment 2 Murray McAllister 2014-06-27 05:58:12 UTC
This issue is public:


Comment 3 Murray McAllister 2014-06-27 05:59:14 UTC
Created gstreamer-plugins-good tracking bugs for this issue:

Affects: fedora-all [bug 1113866]

Comment 4 Huzaifa S. Sidhpurwala 2014-06-30 05:13:10 UTC
This issue only affects 32-bit systems and also can only happen if you use uncommonly huge buffer sizes where you have to decompress more than 16 MiB (> 2^24 bytes) untrusted compressed bytes within a single function call.

The following packages in Red Hat Enterprise Linux embed lzo, but none of them use such large buffer sizes and therefore are not affected by this flaw:


Comment 5 Huzaifa S. Sidhpurwala 2014-06-30 05:15:14 UTC

Not vulnerable. This issue does not affect the version of qffmpeg as shipped with Red Hat Enterprise Linux 5. This issue does not affect the version of gstreamer-plugins-good as shipped with Red Hat Enterprise Linux 5, 6 and 7. This issue does not affect the version of gstreamer1-plugins-good as shipped with Red Hat Enterprise Linux 7.

Comment 6 Huzaifa S. Sidhpurwala 2014-06-30 05:16:57 UTC
This issue does not affect the version of gstreamer-plugins-good, gstreamer1-plugins-good and mingw-gstreamer-plugins-good as shipped with Fedora 19 and 20.

Comment 8 Tomas Hoger 2014-06-30 14:53:33 UTC
Blog post and security report from the original reporter:


Note You need to log in before you can comment on or make changes to this bug.