CVE-2017-9256
Description
A crafted MP4 file triggers an infinite loop in FAAD2's mp4ff_read_stco function, causing CPU exhaustion and denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted MP4 file triggers an infinite loop in FAAD2's mp4ff_read_stco function, causing CPU exhaustion and denial of service.
Vulnerability
The mp4ff_read_stco function in common/mp4ff/mp4atom.c in Freeware Advanced Audio Decoder 2 (FAAD2) version 2.7 contains a flaw that allows a remote attacker to cause a denial of service via a crafted MP4 file. The function enters a large loop, consuming excessive CPU resources. [1]
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted MP4 file to the FAAD2 decoder. No authentication or special privileges are required; the attacker only needs to convince a user to process the malicious file (e.g., via a web browser or media player that uses FAAD2). The decoder will then enter an infinite or very large loop in mp4ff_read_stco, leading to high CPU usage.
Impact
Successful exploitation results in a denial of service due to excessive CPU consumption, potentially causing the application to become unresponsive or crash. The vulnerability does not allow code execution or data exfiltration; it is limited to resource exhaustion.
Mitigation
As of the publication date (2017-06-27), no patch or fixed version has been disclosed in the available references. Users should avoid processing untrusted MP4 files with FAAD2 2.7 until a fix is applied. Upgrading to a later version of FAAD2, if available, may mitigate the issue.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- cpe:2.3:a:audiocoding:freeware_advanced_audio_decoder_2:2.7:*:*:*:*:*:*:*
- Range: =2.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing upper-bound validation on `stco_entry_count` read from the MP4 file allows an attacker-controlled loop iteration count."
Attack vector
An attacker crafts a malicious MP4 file containing an `stco` atom whose `stco_entry_count` field is set to an extremely large value. When FAAD2 calls `mp4ff_read_stco`, the function reads this unchecked count and enters a loop that iterates that many times, each iteration reading a 32-bit integer from the file. This causes the decoder to spend excessive CPU time in a large loop, resulting in a denial of service [CWE-834] [ref_id=1]. The attack requires no authentication; the victim only needs to open the crafted file with FAAD2.
Affected code
The vulnerable function is `mp4ff_read_stco` in `common/mp4ff/mp4atom.c`. The function reads `stco_entry_count` directly from the file without any upper-bound validation, then uses that value to control a `for` loop that reads that many chunk offsets from the file [ref_id=1].
What the fix does
The advisory does not include a patch or remediation guidance. The underlying issue is that `mp4ff_read_stco` does not validate the `stco_entry_count` value read from the file before using it as a loop bound. A proper fix would add a sanity check on `stco_entry_count` (e.g., rejecting values that exceed a reasonable maximum or that would cause the loop to read beyond the remaining file data) before entering the `for` loop [ref_id=1].
Preconditions
- inputVictim must open a crafted MP4 file with FAAD2 (e.g., via `faad` command-line tool).
- authNo authentication or special privileges required.
Reproduction
Use the provided proof-of-concept file `faad2_2.7_mp4ff_read_stco_large_loop.mp4` [ref_id=1]. Run: `./faad faad2_2.7_mp4ff_read_stco_large_loop.mp4 -o out.wav`. The decoder will enter a large loop and consume excessive CPU.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- seclists.org/fulldisclosure/2017/Jun/32nvdMailing ListThird Party Advisory
News mentions
0No linked articles in our index yet.