Bug 2401798 (CVE-2025-59729) - CVE-2025-59729 FFmpeg: Heap-buffer-overflow read in FFmpeg DHAV get_duration
Summary: CVE-2025-59729 FFmpeg: Heap-buffer-overflow read in FFmpeg DHAV get_duration
Keywords:
Status: NEW
Alias: CVE-2025-59729
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2401823 2401826 2401830 2401838 2401845 2401856 2401860
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-10-06 09:01 UTC by OSIDB Bzimport
Modified: 2025-10-06 10:45 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-10-06 09:01:37 UTC 
When parsing the header for a DHAV file, there's an integer underflow in offset calculation that leads to reading the duration from before the start of the allocated buffer.

If we load a DHAV file that is larger than MAX_DURATION_BUFFER_SIZE bytes (0x100000) for example 0x101000 bytes, then at [0] we have size = 0x101000. At [1] we have end_buffer_size = 0x100000, and at [2] we have end_buffer_pos = 0x1000.

The loop then scans backwards through the buffer looking for the dhav tag; when it is found, we'll calculate end_pos based on a 32-bit offset read from the buffer.

There is subsequently a check [3] that end_pos is within the section of the file that has been copied into end_buffer, but it only correctly handles the cases where end_pos is before the start of the file or after the section copied into end_buffer, and not the case where end_pos is within the the file, but before the section copied into end_buffer. If we provide such an offset, (end_pos - end_buffer_pos) can underflow, resulting in the subsequent access at [4] occurring before the beginning of the allocation.

We recommend upgrading to version 8.0 or beyond.
Note You need to log in before you can comment on or make changes to this bug.