CVE-2017-9255
Description
A crafted MP4 file triggers an infinite loop in FAAD2's mp4ff_read_stsc function, causing high CPU consumption and denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted MP4 file triggers an infinite loop in FAAD2's mp4ff_read_stsc function, causing high CPU consumption and denial of service.
Vulnerability
The mp4ff_read_stsc function in common/mp4ff/mp4atom.c of Freeware Advanced Audio Decoder 2 (FAAD2) version 2.7 contains a flaw that allows a remote attacker to cause a denial of service via a crafted MP4 file. The function enters a large loop, consuming excessive CPU resources. Affected version is FAAD2 2.7 [1].
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted MP4 file to the FAAD2 decoder. No authentication or special privileges are required; the attacker only needs to convince a user to process the malicious file (e.g., via a web download or email attachment). The decoder will parse the file and trigger the infinite loop in mp4ff_read_stsc, leading to high CPU usage [1].
Impact
Successful exploitation results in a denial of service condition, where the application becomes unresponsive due to excessive CPU consumption. The vulnerability does not allow code execution or data exfiltration; it only affects availability [1].
Mitigation
As of the publication date (2017-06-27), no official patch or fixed version has been released. Users should avoid processing untrusted MP4 files with FAAD2 2.7. Upgrading to a newer version of FAAD2, if available, may resolve the issue. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- cpe:2.3:a:audiocoding:freeware_advanced_audio_decoder_2:2.7:*:*:*:*:*:*:*
- Range: = 2.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing upper-bound validation on `stsc_entry_count` read from the MP4 file allows an attacker-controlled value to dictate the number of loop iterations, causing excessive CPU consumption."
Attack vector
An attacker crafts a malicious MP4 file whose `stsc` atom contains an arbitrarily large `entry_count` value. When FAAD2 calls `mp4ff_read_stsc`, it reads this count and enters a loop that iterates that many times, each iteration reading 12 bytes from the file. This causes excessive CPU consumption and a large loop that can effectively hang the decoder [CWE-834][ref_id=1]. The attack requires no special privileges; the victim only needs to open the crafted file with FAAD2 (e.g., via `faad crafted.mp4 -o out.wav`) [ref_id=1].
Affected code
The vulnerable function is `mp4ff_read_stsc` in `common/mp4ff/mp4atom.c` of FAAD2 2.7. The function reads `stsc_entry_count` directly from the MP4 file without any upper-bound validation, then uses that attacker-controlled value as the loop bound for a `for` loop that reads three 32-bit integers per iteration [ref_id=1].
What the fix does
The advisory does not include a patch or official fix. The remediation guidance implied by the disclosure is that FAAD2 should validate `stsc_entry_count` against a reasonable upper bound before entering the loop, or at minimum check that the loop does not exceed the available input data. Without such a check, an attacker can trivially cause a denial of service by supplying a large entry count in the `stsc` atom [ref_id=1].
Preconditions
- inputVictim must open a crafted MP4 file with FAAD2 (e.g., via the `faad` command-line tool).
- authNo authentication or special privileges required.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- seclists.org/fulldisclosure/2017/Jun/32nvdMailing ListThird Party Advisory
News mentions
0No linked articles in our index yet.