CVE-2017-9220
Description
A crafted MP4 file triggers a memory allocation error in FAAD2 2.7's mp4ff_read_stco function, causing denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted MP4 file triggers a memory allocation error in FAAD2 2.7's mp4ff_read_stco function, causing denial of service.
Vulnerability
The mp4ff_read_stco function in common/mp4ff/mp4atom.c of Freeware Advanced Audio Decoder 2 (FAAD2) version 2.7 contains a memory allocation error when processing a crafted MP4 file. The vulnerability is reachable when an attacker supplies a malicious MP4 file that triggers improper handling of chunk offset table data, leading to an invalid memory access.
Exploitation
An attacker needs only to deliver a specially crafted MP4 file to a user or application that uses FAAD2 to decode the file. No authentication or specialized network position is required; the attack vector is local, relying on the victim opening the malicious file with FAAD2 (e.g., via the faad command-line tool). The crash is demonstrated via ASAN output showing a SEGV at address 0x000000000014 in mp4ff_read_stco.
Impact
Successful exploitation causes a denial of service (application crash) due to an invalid memory read. No code execution or data exfiltration is reported; the impact is limited to availability. The crash occurs at a low privilege level consistent with user-space processing of media files.
Mitigation
As of the disclosed reference [1], no official patch or updated version addressing CVE-2017-9220 has been identified. Users are advised to avoid opening untrusted MP4 files with FAAD2 2.7 until a fix is released. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- cpe:2.3:a:audiocoding:freeware_advanced_audio_decoder_2:2.7:*:*:*:*:*:*:*
- Range: =2.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds validation on attacker-controlled chunk count/offset values in `mp4ff_read_stco` leads to an arithmetic overflow resulting in an enormous `malloc` size."
Attack vector
An attacker supplies a crafted MP4 file containing a `stco` atom with a manipulated `chunk_count` or offset value that causes `mp4ff_read_stco` to compute an absurdly large allocation size [ref_id=1]. When the victim opens the file with FAAD2 (e.g., `./faad crafted.mp4 -o out.wav`), the function calls `malloc` with a size of 0xfffffffe18000000 bytes, which the allocator cannot satisfy, resulting in a denial of service via process termination [ref_id=1]. No authentication or special privileges are required beyond user interaction to open the file.
Affected code
The vulnerable function is `mp4ff_read_stco` in `common/mp4ff/mp4atom.c` at line 448 [ref_id=1]. The crash occurs during parsing of a crafted MP4 file when the function attempts to allocate an enormous amount of memory (0xfffffffe18000000 bytes) via `malloc`, causing AddressSanitizer to terminate the process [ref_id=1].
What the fix does
The advisory does not include a patch or remediation guidance [ref_id=1]. No fix is published in the disclosed material. To close the vulnerability, the `mp4ff_read_stco` function would need to validate that the computed allocation size derived from the MP4 atom's chunk count and offset fields does not exceed a reasonable maximum before calling `malloc`, and handle allocation failure gracefully instead of crashing.
Preconditions
- inputVictim must open a crafted MP4 file with FAAD2 (e.g., via the faad command-line tool)
- authNo authentication required; local user interaction (opening the file) is sufficient
Reproduction
1. Obtain the PoC file `faad2_2.7_mp4ff_read_stco_memory_allocation_error.mp4` referenced in the disclosure [ref_id=1]. 2. Run `./faad faad2_2.7_mp4ff_read_stco_memory_allocation_error.mp4 -o out.wav`. 3. Observe the AddressSanitizer output indicating a failed allocation of 0xfffffffe18000000 bytes and process termination [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- seclists.org/fulldisclosure/2017/Jun/32nvdMailing ListThird Party Advisory
News mentions
0No linked articles in our index yet.