CVE-2013-7010
Description
Integer signedness errors in FFmpeg's dsputil.c allow out-of-bounds array access via crafted data, leading to denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer signedness errors in FFmpeg's dsputil.c allow out-of-bounds array access via crafted data, leading to denial of service.
Vulnerability
Multiple integer signedness errors exist in libavcodec/dsputil.c in FFmpeg before version 2.1. Specifically, in the add_bytes_c and diff_bytes_c functions, the comparison i <= w - sizeof(long) uses sizeof(long) (unsigned) and w (signed int), leading to signedness mismatch that can cause the loop bound to be incorrect, resulting in out-of-bounds array access when processing crafted data. This was fixed in commit [454a11a][4] [3].
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted multimedia file that triggers the vulnerable code path during decoding. No authentication or special privileges are required; the vulnerability can be triggered remotely by convincing a user to process the malicious file with an affected version of FFmpeg.
Impact
Successful exploitation causes an out-of-bounds array access, leading to a denial of service (application crash) and potentially other unspecified impacts such as memory corruption. The impact is limited to the FFmpeg process; no privilege escalation is indicated.
Mitigation
The issue is fixed in FFmpeg version 2.1, released in December 2013, and in commit [454a11a][4]. Users should upgrade to FFmpeg 2.1 or later. No known workarounds exist for unpatched versions.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
66cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*+ 64 more
- cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*range: <=2.0.1
- cpe:2.3:a:ffmpeg:ffmpeg:0.10:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.11:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.4.9:pre1:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.5.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.5.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.6:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.11:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.12:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.9:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.11:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.9:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.0:*:*:*:*:*:*:*
- (no CPE)range: <2.1
Patches
1454a11a1c9c6Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- openwall.com/lists/oss-security/2013/11/26/7nvdPatch
- openwall.com/lists/oss-security/2013/12/08/3nvdPatch
- github.com/FFmpeg/FFmpeg/commit/454a11a1c9c686c78aa97954306fb63453299760nvdExploitPatch
- ffmpeg.org/security.htmlnvd
- git.libav.orgnvd
- www.debian.org/security/2014/dsa-2855nvd
- security.gentoo.org/glsa/201603-06nvd
News mentions
0No linked articles in our index yet.