CVE-2017-9223
Description
A crafted MP4 file triggers an invalid memory read in FAAD2's mp4ff_read_stts function, causing a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted MP4 file triggers an invalid memory read in FAAD2's mp4ff_read_stts function, causing a denial of service.
Vulnerability
The vulnerability resides in the mp4ff_read_stts function within common/mp4ff/mp4atom.c of Freeware Advanced Audio Decoder 2 (FAAD2) version 2.7. When processing a specially crafted MP4 file, the function performs an invalid memory read, leading to a crash. The code path is reachable when the decoder attempts to parse the stts atom of the MP4 container [1].
Exploitation
An attacker can exploit this vulnerability by supplying a malicious MP4 file to the FAAD2 decoder (e.g., via the faad command-line tool). No authentication or special privileges are required; the victim only needs to open the crafted file. The invalid memory read occurs during the parsing of the stts atom, causing the application to terminate unexpectedly [1].
Impact
Successful exploitation results in a denial of service (DoS) due to an application crash. The invalid memory read does not allow code execution or information disclosure beyond the crash itself. The impact is limited to availability, affecting the decoder's ability to process audio files [1].
Mitigation
As of the publication date (2017-06-27), no official patch or fixed version has been disclosed in the available references. Users should exercise caution when opening MP4 files from untrusted sources. Upgrading to a later version of FAAD2, if available, may address this issue, but no specific fix is mentioned in the reference [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- cpe:2.3:a:audiocoding:freeware_advanced_audio_decoder_2:2.7:*:*:*:*:*:*:*
- Range: = 2.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check on attacker-controlled entry count in mp4ff_read_stts leads to out-of-bounds memory read."
Attack vector
An attacker supplies a crafted MP4 file containing a malformed STTS (decoding time-to-sample) atom. When FAAD2's `mp4ff_read_stts` function processes this atom, it reads an entry count from the file and uses it to access an array without bounds checking [CWE-125]. This causes an out-of-bounds read that triggers a segmentation fault, as shown by the AddressSanitizer SEGV at `mp4atom.c:495` [ref_id=1]. The attack requires no authentication; the victim only needs to open the malicious file with the faad decoder (e.g., `./faad poc.mp4 -o out.wav`) [ref_id=1].
Affected code
The vulnerable function is `mp4ff_read_stts` in `common/mp4ff/mp4atom.c` at line 495 [ref_id=1]. The crash occurs when parsing a crafted MP4 file's STTS atom, where the function reads an attacker-controlled entry count without validation and then uses it to index into allocated memory [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not provide remediation guidance or a fixed version. To close this vulnerability, the `mp4ff_read_stts` function would need to validate the `stts_entry_count` value read from the file against the actual allocated buffer size before using it as an index, preventing the out-of-bounds read [CWE-125].
Preconditions
- inputVictim must open a crafted MP4 file with the FAAD2 decoder (e.g., via `./faad poc.mp4 -o out.wav`)
- authNo authentication required
- inputAttacker must craft an MP4 file with a malformed STTS atom containing an invalid entry count
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- seclists.org/fulldisclosure/2017/Jun/32nvdMailing ListThird Party Advisory
News mentions
0No linked articles in our index yet.