CVE-2024-35366 Overview
CVE-2024-35366 is an Integer Overflow vulnerability affecting FFmpeg n6.1.1. The vulnerability exists in the parse_options function of sbgdec.c within the libavformat module. When parsing certain options, the software does not adequately validate the input, allowing negative duration values to be accepted without proper bounds checking. This flaw can be exploited remotely by an attacker to cause high integrity and availability impacts on affected systems.
Critical Impact
This integer overflow vulnerability in FFmpeg's SBG decoder can be exploited remotely without authentication, potentially leading to data corruption or denial of service conditions in applications processing malicious media files.
Affected Products
- FFmpeg version 6.1.1
- Applications and services utilizing FFmpeg libavformat for media processing
- Systems with vulnerable FFmpeg versions processing untrusted SBG format files
Discovery Timeline
- 2024-11-29 - CVE-2024-35366 published to NVD
- 2025-06-03 - Last updated in NVD database
Technical Details for CVE-2024-35366
Vulnerability Analysis
The vulnerability resides in FFmpeg's SBG (Sound Blaster Game) file format decoder, specifically in the parse_options function located in libavformat/sbgdec.c. The core issue stems from inadequate input validation when processing the -L option, which specifies duration values. The function str_to_time() parses user-supplied input and converts it to a duration value, but prior to the patch, no validation was performed to ensure the resulting duration was non-negative.
This oversight allows an attacker to supply crafted SBG files containing negative duration values, which can cause integer overflow conditions when the duration is subsequently used in calculations. The network attack vector indicates that exploitation can occur when FFmpeg processes malicious files received over a network, such as through streaming applications or web services that transcode media.
Root Cause
The root cause is missing bounds checking in the parse_options function within sbgdec.c. When the -L option argument is parsed via str_to_time(), the code only verified that the parsing consumed the expected input string, but failed to validate that the resulting opt_duration value was within acceptable bounds. Negative duration values, which are semantically invalid for time-based operations, were accepted and stored in p->scs.opt_duration, leading to potential integer overflow conditions in subsequent processing.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious SBG file with specially constructed option parameters that result in negative duration values. When FFmpeg processes this file—whether through direct command-line invocation, library API calls, or as part of a larger media processing pipeline—the integer overflow occurs. The network-based attack vector means this can be triggered remotely when applications accept and process untrusted media files from external sources.
case 'L':
FORWARD_ERROR(parse_optarg(p, opt, &oarg));
r = str_to_time(oarg.s, &p->scs.opt_duration);
- if (oarg.e != oarg.s + r) {
+ if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) {
snprintf(p->err_msg, sizeof(p->err_msg),
"syntax error for option -L");
return AVERROR_INVALIDDATA;
Source: GitHub FFmpeg Commit
The patch adds a simple but critical check || p->scs.opt_duration < 0 to reject negative duration values and return an AVERROR_INVALIDDATA error, preventing the integer overflow from occurring.
Detection Methods for CVE-2024-35366
Indicators of Compromise
- Unexpected crashes or abnormal termination in FFmpeg processes when handling SBG files
- Error logs indicating memory corruption or integer overflow in libavformat operations
- Anomalous CPU or memory utilization during media processing tasks
Detection Strategies
- Implement file type validation to identify and scrutinize SBG format files before processing
- Monitor FFmpeg process behavior for unexpected crashes or resource consumption patterns
- Deploy application-level logging to capture AVERROR_INVALIDDATA return codes from sbgdec operations
- Use static analysis tools to identify FFmpeg version 6.1.1 installations across the environment
Monitoring Recommendations
- Enable verbose logging in FFmpeg-based applications to capture parsing errors
- Monitor system logs for segmentation faults or memory errors from FFmpeg processes
- Implement network traffic analysis to detect potentially malicious media file transfers
- Configure alerting for FFmpeg process terminations with abnormal exit codes
How to Mitigate CVE-2024-35366
Immediate Actions Required
- Update FFmpeg to a version containing commit 0bed22d597b78999151e3bde0768b7fe763fc2a6 or later
- Restrict processing of SBG format files from untrusted sources where possible
- Implement input validation at the application layer before passing files to FFmpeg
- Consider isolating FFmpeg processing in sandboxed environments to limit impact
Patch Information
FFmpeg has released a security patch addressing this vulnerability. The fix is available in commit 0bed22d597b78999151e3bde0768b7fe763fc2a6. Organizations should update to a patched version by compiling from source with this commit included, or by upgrading to a release version that incorporates the fix. The patch can be reviewed at the FFmpeg GitHub Repository.
Workarounds
- Disable SBG format support if not required by your use case through FFmpeg compilation flags
- Implement pre-processing validation to reject SBG files from untrusted sources
- Use network-level filtering to block or quarantine suspicious media files before processing
- Deploy containerization to isolate FFmpeg processes and limit potential damage from exploitation
# Verify FFmpeg version and check if vulnerable
ffmpeg -version | grep "ffmpeg version"
# Rebuild FFmpeg from source with the security patch
git clone https://github.com/FFmpeg/FFmpeg.git
cd FFmpeg
git checkout 0bed22d597b78999151e3bde0768b7fe763fc2a6
./configure --prefix=/usr/local
make -j$(nproc)
sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
