CVE-2024-35366: 
Ffmpeg vulnerability analysis and mitigation

FFmpeg version n6.1.1 contains an Integer Overflow vulnerability (CVE-2024-35366) discovered on November 29, 2024. The vulnerability exists in the parse_options function of sbgdec.c within the libavformat module. When parsing certain options, the software does not adequately validate the input, allowing for negative duration values to be accepted without proper bounds checking (NVD, GitHub Gist).

The vulnerability is classified as an Integer Overflow (CWE-190) with a CVSS v3.1 Base Score of 9.1 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H). The issue specifically occurs in the parse_options function within sbgdec.c, where the code fails to properly validate negative duration values during input parsing (NVD).

The vulnerability could potentially lead to a denial-of-service (DoS) condition or other undefined behavior when processing certain input files. The high CVSS score indicates that successful exploitation could result in significant impact on system integrity and availability (NVD).

A patch has been released to address this vulnerability. The fix involves adding proper validation checks for negative duration values in the parse_options function. Users should update to a patched version of FFmpeg (FFmpeg Commit).