CVE-2025-59729
Description
When parsing the header for a DHAV file, there's an integer underflow in offset calculation that leads to reading the duration from before the start of the allocated buffer.
If we load a DHAV file that is larger than MAX_DURATION_BUFFER_SIZE bytes (0x100000) for example 0x101000 bytes, then at [0] we have size = 0x101000. At [1] we have end_buffer_size = 0x100000, and at [2] we have end_buffer_pos = 0x1000.
The loop then scans backwards through the buffer looking for the dhav tag; when it is found, we'll calculate end_pos based on a 32-bit offset read from the buffer.
There is subsequently a check [3] that end_pos is within the section of the file that has been copied into end_buffer, but it only correctly handles the cases where end_pos is before the start of the file or after the section copied into end_buffer, and not the case where end_pos is within the the file, but before the section copied into end_buffer. If we provide such an offset, (end_pos - end_buffer_pos) can underflow, resulting in the subsequent access at [4] occurring before the beginning of the allocation.
We recommend upgrading to version 8.0 or beyond.
Affected products
60- osv-coords60 versionspkg:apk/chainguard/ffmpeg-6-devpkg:apk/chainguard/ffmpeg-6-docpkg:apk/chainguard/ffmpeg-6-libavcodec61pkg:apk/chainguard/ffmpeg-6-libavdevice61pkg:apk/chainguard/ffmpeg-6-libavfilter10pkg:apk/chainguard/ffmpeg-6-libavformat61pkg:apk/chainguard/ffmpeg-6-libavutil59pkg:apk/chainguard/ffmpeg-6-libpostproc58pkg:apk/chainguard/ffmpeg-6-libswresample5pkg:apk/chainguard/ffmpeg-6-libswscale8pkg:apk/chainguard/ffmpeg-6-qt-faststartpkg:apk/chainguard/ffmpeg-6-staticpkg:apk/chainguard/ffmpeg-7.1-devpkg:apk/chainguard/ffmpeg-7.1-docpkg:apk/chainguard/ffmpeg-7.1-libavcodec61pkg:apk/chainguard/ffmpeg-7.1-libavdevice61pkg:apk/chainguard/ffmpeg-7.1-libavfilter10pkg:apk/chainguard/ffmpeg-7.1-libavformat61pkg:apk/chainguard/ffmpeg-7.1-libavutil59pkg:apk/chainguard/ffmpeg-7.1-libpostproc58pkg:apk/chainguard/ffmpeg-7.1-libswresample5pkg:apk/chainguard/ffmpeg-7.1-libswscale8pkg:apk/chainguard/ffmpeg-7.1-qt-faststartpkg:apk/chainguard/ffmpeg-7.1-staticpkg:apk/chainguard/ffmpeg-7-devpkg:apk/chainguard/ffmpeg-7-docpkg:apk/chainguard/ffmpeg-7-libavcodec61pkg:apk/chainguard/ffmpeg-7-libavdevice61pkg:apk/chainguard/ffmpeg-7-libavfilter10pkg:apk/chainguard/ffmpeg-7-libavformat61pkg:apk/chainguard/ffmpeg-7-libavutil59pkg:apk/chainguard/ffmpeg-7-libpostproc58pkg:apk/chainguard/ffmpeg-7-libswresample5pkg:apk/chainguard/ffmpeg-7-libswscale8pkg:apk/chainguard/ffmpeg-7-qt-faststartpkg:apk/chainguard/ffmpeg-7-staticpkg:apk/wolfi/ffmpeg-7.1-devpkg:apk/wolfi/ffmpeg-7.1-docpkg:apk/wolfi/ffmpeg-7.1-libavcodec61pkg:apk/wolfi/ffmpeg-7.1-libavdevice61pkg:apk/wolfi/ffmpeg-7.1-libavfilter10pkg:apk/wolfi/ffmpeg-7.1-libavformat61pkg:apk/wolfi/ffmpeg-7.1-libavutil59pkg:apk/wolfi/ffmpeg-7.1-libpostproc58pkg:apk/wolfi/ffmpeg-7.1-libswresample5pkg:apk/wolfi/ffmpeg-7.1-libswscale8pkg:apk/wolfi/ffmpeg-7.1-qt-faststartpkg:apk/wolfi/ffmpeg-7.1-staticpkg:apk/wolfi/ffmpeg-7-devpkg:apk/wolfi/ffmpeg-7-docpkg:apk/wolfi/ffmpeg-7-libavcodec61pkg:apk/wolfi/ffmpeg-7-libavdevice61pkg:apk/wolfi/ffmpeg-7-libavfilter10pkg:apk/wolfi/ffmpeg-7-libavformat61pkg:apk/wolfi/ffmpeg-7-libavutil59pkg:apk/wolfi/ffmpeg-7-libpostproc58pkg:apk/wolfi/ffmpeg-7-libswresample5pkg:apk/wolfi/ffmpeg-7-libswscale8pkg:apk/wolfi/ffmpeg-7-qt-faststartpkg:apk/wolfi/ffmpeg-7-static
< 6.1.3-r0+ 59 more
- (no CPE)range: < 6.1.3-r0
- (no CPE)range: < 6.1.3-r0
- (no CPE)range: < 6.1.3-r0
- (no CPE)range: < 6.1.3-r0
- (no CPE)range: < 6.1.3-r0
- (no CPE)range: < 6.1.3-r0
- (no CPE)range: < 6.1.3-r0
- (no CPE)range: < 6.1.3-r0
- (no CPE)range: < 6.1.3-r0
- (no CPE)range: < 6.1.3-r0
- (no CPE)range: < 6.1.3-r0
- (no CPE)range: < 6.1.3-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 7.1.2-r0
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.