CVE-2024-35367: 
Ffmpeg vulnerability analysis and mitigation

FFmpeg version n6.1.1 contains an Out-of-bounds Read vulnerability (CVE-2024-35367) discovered in November 2024. The vulnerability exists in the libavcodec/ppc/vp8dsp_altivec.c file, specifically in the static const vec_s8 h_subpel_filters_outer component (NVD, Debian Tracker).

The vulnerability is an Out-of-bounds Read issue in the VP8 video decoder implementation for PowerPC platforms using AltiVec instructions. The problem occurs due to insufficient array bounds checking in the h_subpel_filters_outer array, where h_subpel_filters_inner[i] and h_subpel_filters_outer[i / 2] are used together, but the latter doesn't support the full required range (FFmpeg Commit). The vulnerability has received a CVSS v3.1 base score of 9.1 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) (NVD).

The Out-of-bounds Read vulnerability could potentially allow attackers to access memory outside of intended boundaries, which could lead to information disclosure or program crashes. This could affect systems running FFmpeg n6.1.1 with PowerPC processors using AltiVec instructions (NVD).

A fix has been implemented in FFmpeg by adding another element to the h_subpel_filters_outer array and adjusting its values based on the subpel_filters in libavcodec/vp8dsp.c. Users should upgrade to the patched version when available. The fix has been tested and verified by Sean McGovern (FFmpeg Commit).