FFmpeg ff_htmlmarkup_to_ass() function Subtitle Decoder Denial of Service Vulnerability



A vulnerability in FFmpeg could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.

The vulnerability is due to improper memory operations performed by the ff_htmlmarkup_to_ass() function, as defined in the libavcodec/htmlsubtitles.c source code file of the affected software. An attacker could exploit this vulnerability by persuading a user to open a crafted video file in Matroska format that submits malicious input to the targeted system. A successful exploit could cause an out-of-bounds read condition in the subtitle decoder, which could result in a DoS condition.

FFmpeg has confirmed the vulnerability and released software updates.

Security Impact Rating: Medium

CVE: CVE-2019-9718

Source:: Cisco Multivendor Vulnerability Alerts