CVE-2017-14054

Name of the Vulnerable Software and Affected Versions FFmpeg versions 3.3.3

Description The issue is related to the ivr read header function in the FFmpeg multimedia library, specifically in libavformat/rmdec.c, and is caused by resource management errors. Exploitation of this issue can allow a remote attacker to cause memory exhaustion and denial of service using a specially crafted IVR file. This file would claim a large len field in the header but not contain sufficient backing data, leading to significant CPU resource consumption due to the lack of an End of File (EOF) check in the loop.

Recommendations For FFmpeg version 3.3.3, as a temporary workaround, consider disabling the ivr read header function until a patch is available. Restrict access to files that could potentially exploit this issue to minimize the risk of denial of service. Avoid using crafted IVR files that claim large len fields without sufficient backing data until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.