CVE-2013-0894

Vulnerability

A buffer overflow vulnerability exists in the vorbis_parse_setup_hdr_floors function within vorbisdec.c in FFmpeg's libavcodec library, affecting versions through 1.1.3. The issue is triggered by a crafted Vorbis audio stream containing a zero value for bark map size, leading to an out-of-bounds array access or divide-by-zero error. This code path is reachable when decoding malicious Vorbis files. The bug was also present in Google Chrome before version 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, as it bundled the vulnerable FFmpeg library.

Exploitation

An attacker can exploit this vulnerability by delivering a specially crafted Vorbis audio file to a target application that uses the affected FFmpeg decoder (e.g., via a web page in Chrome or media playback in other software). No authentication or special privileges are required; the attacker only needs to trigger decoding of the malicious file. The exploit does not require user interaction beyond opening the media file or accessing a page that autoplays the content.

Impact

Successful exploitation could cause a denial of service (via crash due to divide-by-zero or out-of-bounds access) or potentially allow arbitrary code execution, though the description states “possibly have unspecified other impact.” The attacker could gain the same privileges as the affected application (e.g., the Chrome sandbox or user-level process).

Mitigation

The fix was committed to the FFmpeg repository in commit 2c16bf2de07c68513072bf3cc96401d2c3e1a3e (reference [2]) and to Chromium's FFmpeg copy in commit e1e70d9bb9852b7d099379afc95531a632a20ba5 (reference [1]). Users should update FFmpeg to a patched version (post-1.1.3) or, for Chrome users, ensure they are running version 25.0.1364.97 or later (Windows/Linux) or 25.0.1364.99 or later (Mac OS X). No other workarounds are documented.