ffmpeg-6
Chainguard
Status
Impact
The stereotools buffer overflow vulnerability is NOT fixed in FFmpeg 6.1.2. The December 2023 fix (commit e6459abfad) adding +9 for proper rounding is not present. The vulnerable code at libavfilter/af_stereotools.c:122 uses integer division that rounds down, causing undersized buffer allocation for certain sample rates. For example, sample_rate=44099 would allocate insufficient buffer space. The fix ensures proper ceiling division by adding 9 before dividing by 10.
Status