CVE-2017-14170

Name of the Vulnerable Software and Affected Versions FFmpeg versions 2.4 through 3.3.3

Description The issue is related to errors in resource management in the mxf read index entry array function of the FFmpeg library. It can be exploited by a remote attacker to cause consumption of computational resources and denial of service using a specially crafted MXF file. This file requires a large value in the nb index entries field in the header but does not contain sufficient backing data. As a result, the loop consumes significant CPU resources due to the lack of an End of File (EOF) check. If there are multiple applicable data segments in the crafted MXF file, this large loop can be invoked multiple times.

Recommendations For FFmpeg versions 2.4 through 3.3.3, consider disabling the mxf read index entry array function until a patch is available to prevent potential denial of service attacks. Restrict access to MXF files with large nb index entries fields in the header to minimize the risk of exploitation. Avoid using the nb index entries field in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.