CVE-2019-9718

Name of the Vulnerable Software and Affected Versions FFmpeg versions 3.2 through 4.1

Description The issue is related to a denial of service in the subtitle decoder, allowing attackers to consume excessive CPU resources via a crafted video file in Matroska format. This is due to the ff htmlmarkup to ass function in libavcodec/htmlsubtitles.c having a complex format argument to sscanf. The vulnerability is also associated with a buffer overflow read in the ff htmlmarkup to ass function of the FFmpeg multimedia library. Exploitation of this issue may enable a remote attacker to cause a denial of service using a specially crafted video file in Matroska format.

Recommendations For FFmpeg versions 3.2 through 4.1, consider disabling the ff htmlmarkup to ass function as a temporary workaround until a patch is available. Restrict access to Matroska video files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.