CVE-2017-9254
Description
A crafted MP4 file can trigger an infinite loop in FAAD2 mp4ff_read_stts, causing CPU exhaustion and denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted MP4 file can trigger an infinite loop in FAAD2 mp4ff_read_stts, causing CPU exhaustion and denial of service.
Vulnerability
The mp4ff_read_stts function in common/mp4ff/mp4atom.c in Freeware Advanced Audio Decoder 2 (FAAD2) version 2.7 contains an infinite loop vulnerability. By providing a specially crafted MP4 file, an attacker can cause the decoder to enter a large loop that consumes excessive CPU resources, leading to a denial of service [1].
Exploitation
An attacker can exploit this vulnerability by crafting an MP4 file that triggers the infinite loop in mp4ff_read_stts. The attacker must deliver this file to the victim, who then opens it with FAAD2. No authentication or special network position is required; the attack can be carried out remotely via file sharing or web downloads.
Impact
Successful exploitation results in a denial of service condition. The FAAD2 process hangs or becomes unresponsive due to high CPU consumption, potentially affecting the availability of the system or application using the library. The impact is limited to CPU exhaustion; no data integrity or confidentiality is compromised.
Mitigation
As of the publication date, no official patch has been released for this vulnerability. Users should limit exposure by avoiding the parsing of untrusted MP4 files with FAAD2 version 2.7. The vendor may release a fix in a future version; checking for updates is recommended [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- cpe:2.3:a:audiocoding:freeware_advanced_audio_decoder_2:2.7:*:*:*:*:*:*:*
- Range: =2.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `mp4ff_read_stts` function reads `stts_entry_count` directly from the attacker-controlled MP4 file without any upper-bound validation, then uses that value as the loop bound for a subsequent read loop, enabling an attacker to set an arbitrarily large count and cause excessive CPU consumption."
Attack vector
An attacker crafts a malicious MP4 file containing an `stts` atom whose `stts_entry_count` field is set to an arbitrarily large value [ref_id=1]. When the victim runs `faad` (FAAD2 2.7) on this file, `mp4ff_read_stts` reads the large count and enters a loop that iterates that many times, each iteration reading two 32-bit integers from the file [ref_id=1]. This causes a denial of service through excessive CPU consumption [CWE-834]. The attack requires no authentication and is triggered simply by opening the crafted file.
Affected code
The vulnerable function is `mp4ff_read_stts` in `common/mp4ff/mp4atom.c` [ref_id=1]. The function reads `p_track->stts_entry_count = mp4ff_read_int32(f)` from the file without any upper-bound check, then uses that value as the loop bound in `for (i = 0; i < f->track[f->total_tracks - 1]->stts_entry_count; i++)` [ref_id=1].
What the fix does
The advisory does not include a patch or remediation guidance for this specific issue [ref_id=1]. No fix is published in the provided bundle. To close the vulnerability, a developer would need to add an upper-bound check on `stts_entry_count` after reading it from the file, rejecting values that exceed a reasonable limit (e.g., based on the file size or a maximum allowed number of STTS entries) before allocating memory or entering the loop.
Preconditions
- inputVictim must open a crafted MP4 file with FAAD2 2.7 (e.g., via `faad` command-line tool)
- authNo authentication or special privileges required
- networkAttacker must deliver the malicious MP4 file to the victim (local file access or social engineering)
Reproduction
The advisory references a PoC file named `faad2_2.7_mp4ff_read_stts_large_loop.mp4` and provides the reproduction command: `./faad faad2_2.7_mp4ff_read_stts_large_loop.mp4 -o out.wav` [ref_id=1]. No further reproduction steps are documented in the bundle.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- seclists.org/fulldisclosure/2017/Jun/32nvdMailing ListThird Party Advisory
News mentions
0No linked articles in our index yet.