Ref: http://seclists.org/oss-sec/2017/q1/245
===================================================
This letter is a result of research made by Emil Lerner <neex.emil () gmail com
<mailto:neex.emil () gmail com>> and 
Pavel Cheremushkin <paulcher () seclab cs msu su <mailto:paulcher () seclab cs
msu su>> and it is supposed to disclosed 
multiple issues we managed to find and exploit in FFmpeg software. Despite that
all vulnerabilities have been 
successfully patched by FFmpeg developers this letter is supposed to clarify
all these issues and show that they are 
exploitable.

--[ 2 - libavformat/rtmppkt.c ]

Issue is connected with buffer overflow on the heap in RTMP protocol. After a
bit of reverse engineering of RTMP 
protocol you can notice that it uses chunk (of max 0x80 bytes) to _transfer_
data, but chunks of more size could be 
used to _store_ the data. Because size of packet is not check that it is the
same as it was in the same transmission 
you can first send packet with smaller size and then bigger size, and this
results heap-overflow[1]. If you can align 
chunks right you can achieve white-what-where condition and that results and
RCE.

* [1] -
https://github.com/FFmpeg/FFmpeg/blob/d903b4e3ad4a81b3dd79f12c2f3b9cb16e511173/libavformat/rtmppkt.c#L268 

The issue was fixed in
https://github.com/FFmpeg/FFmpeg/commit/7d57ca4d9a75562fa32e40766211de150f8b3ee7 
===================================================

Comment on Ref: http://seclists.org/oss-sec/2017/q1/251
===================================================
In case anyone else is curious, here are the corresponding commits
reachable from the n3.2.2 release tag:

https://github.com/FFmpeg/FFmpeg/commit/32b95471a86ae383c0f76361d954aec511f7043a
===================================================

(open-)SUSE: https://software.opensuse.org/package/ffmpeg

TW: 3.2.22
42.2: 3.2
42.1: 2.8.8