CVE-2017-9219
Description
A crafted MP4 file triggers a memory allocation error in FAAD2 2.7's mp4ff_read_stsc function, causing a denial of service via application crash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted MP4 file triggers a memory allocation error in FAAD2 2.7's mp4ff_read_stsc function, causing a denial of service via application crash.
Vulnerability
The mp4ff_read_stsc function in common/mp4ff/mp4atom.c of Freeware Advanced Audio Decoder 2 (FAAD2) version 2.7 contains a flaw that allows a remote attacker to cause a denial of service. The issue is triggered when processing a crafted MP4 file, leading to a memory allocation error and subsequent application crash. Affected software is FAAD2 version 2.7 [1].
Exploitation
An attacker must supply a specially crafted MP4 file to the FAAD2 decoder, for example by persuading a user to decode the file using the faad command-line tool. No authentication or special privileges are needed beyond the ability to deliver the file. The vulnerability manifests during the parsing of the MP4 file's stsc atom, where the function attempts to allocate memory based on attacker-controlled values, leading to an allocation failure [1].
Impact
Successful exploitation results in a denial of service (application crash) due to a memory allocation error. The impact is limited to availability, with no known effect on confidentiality or integrity. The crash occurs in the context of the FAAD2 process, potentially disrupting any application or service relying on this library [1].
Mitigation
As of the publication date (2017-06-27), no official patch for FAAD2 version 2.7 has been released for this specific vulnerability. Users should consider applying input validation or restricting the decoding of untrusted MP4 files. Upgrading to a later version that may address this issue (e.g., after the vendor releases a fix) is recommended. This CVE is not listed on CISA's Known Exploited Vulnerabilities catalogue [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- cpe:2.3:a:audiocoding:freeware_advanced_audio_decoder_2:2.7:*:*:*:*:*:*:*
- Range: =2.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds validation on the allocation size computed from attacker-controlled values in the `stsc` atom leads to an excessive memory allocation request and crash."
Attack vector
An attacker crafts a malicious MP4 file containing a specially crafted `stsc` atom. When FAAD2's `mp4ff_read_stsc` function parses this atom, it computes an excessively large allocation size (observed as `0xfffffffe18000000` bytes) [ref_id=1]. The `malloc` call fails, AddressSanitizer's allocator terminates the process, and the application crashes — a denial of service [ref_id=1]. The attack requires no authentication; the victim only needs to open the crafted file with FAAD2 [CWE-119].
Affected code
The vulnerable function is `mp4ff_read_stsc` in `common/mp4ff/mp4atom.c` (line 423) [ref_id=1]. The call chain shows `mp4ff_atom_read` (line 665) calls `mp4ff_read_stsc`, triggered during `parse_sub_atoms` and `parse_atoms` in `common/mp4ff/mp4ff.c` when processing a crafted MP4 file [ref_id=1].
What the fix does
The advisory does not include a patch or explicit remediation guidance [ref_id=1]. To fix the vulnerability, the `mp4ff_read_stsc` function should validate the number of entries read from the MP4 atom before using it to compute allocation sizes, preventing an integer overflow or excessively large memory request. Without such bounds checking, a crafted `stsc` atom can trigger a memory allocation error and crash [CWE-119].
Preconditions
- inputVictim must open a crafted MP4 file with FAAD2 (e.g., via `faad crafted.mp4 -o out.wav`)
- authNo authentication or special privileges required
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- seclists.org/fulldisclosure/2017/Jun/32nvdMailing ListThird Party Advisory
News mentions
0No linked articles in our index yet.