CVE-2025-59729

Source
https://cve.org/CVERecord?id=CVE-2025-59729
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59729.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-59729
Downstream
Published
2025-10-06T08:08:46.060Z
Modified
2026-07-15T01:48:49.774896886Z
Severity
  • 5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N CVSS Calculator
Summary
Heap-buffer-overflow read in FFmpeg DHAV get_duration
Details

When parsing the header for a DHAV file, there's an integer underflow in offset calculation that leads to reading the duration from before the start of the allocated buffer.

If we load a DHAV file that is larger than MAXDURATIONBUFFERSIZE bytes (0x100000) for example 0x101000 bytes, then at [0] we have size = 0x101000. At [1] we have endbuffersize = 0x100000, and at [2] we have endbuffer_pos = 0x1000.

The loop then scans backwards through the buffer looking for the dhav tag; when it is found, we'll calculate end_pos based on a 32-bit offset read from the buffer.

There is subsequently a check [3] that endpos is within the section of the file that has been copied into endbuffer, but it only correctly handles the cases where endpos is before the start of the file or after the section copied into endbuffer, and not the case where endpos is within the the file, but before the section copied into endbuffer. If we provide such an offset, (endpos - endbuffer_pos) can underflow, resulting in the subsequent access at [4] occurring before the beginning of the allocation.

We recommend upgrading to version 8.0 or beyond.

Database specific
{
    "cwe_ids": [
        "CWE-787"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59729.json",
    "cna_assigner": "Google"
}
References

Affected packages

Git / git.ffmpeg.org/ffmpeg.git

Affected ranges

Type
GIT
Repo
https://git.ffmpeg.org/ffmpeg.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "a218cafe4d3be005ab0c61130f90db4d21afb5db"
        },
        {
            "fixed": "8.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

Other
N
n0.*
n0.11-dev
n0.12-dev
n0.8
n1.*
n1.1-dev
n1.2-dev
n1.3-dev
n2.*
n2.0
n2.1-dev
n2.2-dev
n2.3-dev
n2.4-dev
n2.5-dev
n2.6-dev
n2.7-dev
n2.8-dev
n2.9-dev
n3.*
n3.1-dev
n3.2-dev
n3.3-dev
n3.4-dev
n3.5-dev
n4.*
n4.1-dev
n4.2-dev
n4.3-dev
n4.4-dev
n4.5-dev
n5.*
n5.1-dev
n5.2-dev
n6.*
n6.1-dev
n6.2-dev
n7.*
n7.1-dev
n7.2-dev

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59729.json"