CVE-2017-9253
Description
The mp4ff_read_stsd function in FAAD2 2.7 enters a large loop consuming excessive CPU when processing a crafted MP4 file, leading to denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The mp4ff_read_stsd function in FAAD2 2.7 enters a large loop consuming excessive CPU when processing a crafted MP4 file, leading to denial of service.
Vulnerability
The vulnerability resides in the mp4ff_read_stsd function in common/mp4ff/mp4atom.c of Freeware Advanced Audio Decoder 2 (FAAD2) version 2.7 [1]. When parsing a specially crafted MP4 file, the function enters a large loop that results in excessive CPU consumption, causing a denial of service. The function is called during the parsing of MP4 atoms, reachable when a user opens a malicious file using the FAAD2 decoder.
Exploitation
An attacker can exploit this vulnerability by crafting a malicious MP4 file and delivering it to a target. No authentication is required; the attacker only needs to trick the user into opening the file with a vulnerable application that uses FAAD2 (e.g., faad command-line tool) [1]. The processing of the file triggers the large loop in mp4ff_read_stsd, leading to CPU exhaustion.
Impact
Successful exploitation results in a denial of service, causing high CPU consumption and potentially freezing the application. The impact is limited to denial of service; there is no information disclosure, privilege escalation, or remote code execution reported.
Mitigation
As of the publication date (2017-06-27), no official patch has been released for FAAD2 2.7. Users are advised to avoid processing untrusted MP4 files with FAAD2. There is no known workaround other than not using the affected version or applying the fix from the source if available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- cpe:2.3:a:audiocoding:freeware_advanced_audio_decoder_2:2.7:*:*:*:*:*:*:*
- Range: <=2.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on stsd_entry_count allows an attacker-controlled large loop bound, causing excessive CPU consumption."
Attack vector
An attacker crafts a malicious MP4 file where the `stsd_entry_count` field (read at offset 8 of the STSD atom) is set to an extremely large value [ref_id=1]. When FAAD2's `mp4ff_read_stsd` processes this file, the loop iterates `stsd_entry_count` times, each iteration performing file-position calculations and atom-header reads [ref_id=1]. This causes excessive CPU consumption and a denial of service [CWE-834] [ref_id=1]. The attack requires no authentication and is triggered simply by opening the crafted file (user interaction is opening the file) [ref_id=1].
Affected code
The vulnerable function is `mp4ff_read_stsd` in `common/mp4ff/mp4atom.c` of FAAD2 2.7 [ref_id=1]. The function reads a 32-bit value from the file into `f->track[f->total_tracks - 1]->stsd_entry_count` without any bounds check, then uses that value as the loop bound for a `for` loop [ref_id=1].
What the fix does
The advisory does not include a patch or remediation guidance [ref_id=1]. To fix this vulnerability, the code should validate that `stsd_entry_count` is within a reasonable upper bound before using it as the loop limit, preventing an attacker-controlled large value from causing excessive iterations [CWE-834].
Preconditions
- inputThe attacker must supply a crafted MP4 file with an inflated stsd_entry_count value
- inputThe victim must open the crafted file with FAAD2 (e.g., via the faad command-line tool)
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- seclists.org/fulldisclosure/2017/Jun/32nvdMailing ListThird Party Advisory
News mentions
0No linked articles in our index yet.