CVE-2021-32272
Description
A heap-buffer-overflow in faad2's mp4read.c allows remote code execution via crafted MP4 files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-buffer-overflow in faad2's mp4read.c allows remote code execution via crafted MP4 files.
Vulnerability
A heap-buffer-overflow exists in the stszin function in mp4read.c of faad2 before version 2.10.0. The vulnerability originates from an integer overflow: when mp4config.frame.ents is read with a value of (uint32_t)(-1), it overflows to 0 in the size calculation for the subsequent memory allocation. malloc() then returns a pointer to a zero-sized region, causing a heap-buffer-overflow when data is written to it [1][2]. The overflow occurs at line 355 of mp4read.c during parsing of a crafted MP4 file.
Exploitation
An attacker can exploit this vulnerability by supplying a specially crafted MP4 file to the faad2 decoder. No authentication or special network position is required; the attack vector is local file processing, typically triggered when a user opens the malicious file with faad2. The overflow is triggered during the parsing of the MP4 header, specifically in the stszin function, leading to a write of 4 bytes at a controlled offset [1].
Impact
Successful exploitation allows an attacker to achieve code execution with the privileges of the user running faad2. The vulnerability is classified as a heap-buffer-overflow, which can be leveraged to overwrite critical data structures and hijack control flow, as confirmed by the CVE description [1][2].
Mitigation
The issue was fixed in commit 1b71a6ba963d131375f5e489b3b25e36f19f3f24 [2] and is included in faad2 version 2.10.0. Users should upgrade to faad2 2.10.0 or later. No workaround is available for earlier versions.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- faad2/faad2description
- Range: <2.10.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds validation in the stszin function allows a heap-buffer-overflow when writing sample size data into an undersized buffer."
Attack vector
An attacker supplies a crafted MP4 file that triggers a heap-buffer-overflow in the `stszin` function during parsing of the 'stsz' atom. The overflow is a WRITE of size 4 to a heap buffer that was allocated as only 1 byte, as shown by the ASan output: the 1-byte region ends at `0x602000000011` and the write targets `0x602000000010`. No authentication or special network position is required beyond delivering the malicious file to the decoder.
Affected code
The heap-buffer-overflow occurs in the function `stszin` located in `mp4read.c` at line 355. The allocation happens at line 348 of the same function, and the overflow is triggered during a write of size 4 at line 355. The call chain shows `stszin` is invoked by `parse` (line 766), which is recursively called multiple times before being reached from `moovin` (line 867) and ultimately `mp4read_open` (line 1005).
What the fix does
The advisory does not include a patch diff. The fix was released in faad2 version 2.10.0. Based on the bug report, the root cause is that `stszin` allocates a buffer based on an untrusted size value from the MP4 file without validating that the allocation size is sufficient for the subsequent write operations, leading to a heap-buffer-overflow. The remediation likely involves adding bounds checking before the write at line 355.
Preconditions
- inputThe attacker must provide a crafted MP4 file that causes the stszin function to allocate an undersized heap buffer (1 byte) and then write beyond it.
- configThe faad2 decoder must be invoked with the crafted file, e.g., via the command-line tool `faad -w -b 5 `.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.debian.org/security/2022/dsa-5109mitrevendor-advisoryx_refsource_DEBIAN
- github.com/knik0/faad2/commit/1b71a6ba963d131375f5e489b3b25e36f19f3f24mitrex_refsource_MISC
- github.com/knik0/faad2/issues/57mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.