CVE-2024-36618: 
Ffmpeg vulnerability analysis and mitigation

FFmpeg version n6.1.1 contains a vulnerability in the AVI demuxer component of the libavformat library. The vulnerability (CVE-2024-36618) was disclosed on November 29, 2024, and involves an integer overflow condition that could potentially result in a denial-of-service (DoS) situation. This affects the FFmpeg multimedia framework's ability to process AVI files safely (NVD, Ubuntu).

The vulnerability exists in the AVI demuxer's stream handling code within the libavformat library. Specifically, the issue occurs in the checkstreammaxdrift function in avidec.c where an integer overflow could occur when ULONGMAX is less than INT64_MAX. The vulnerability has been assigned a CVSS v3.1 base score of 6.2 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD, FFmpeg Commit).

The primary impact of this vulnerability is the potential for denial-of-service (DoS) conditions when processing malformed AVI files. When successfully exploited, the integer overflow could cause the application to crash or become unresponsive, affecting the availability of systems using the vulnerable FFmpeg version (NVD).

A fix has been implemented and committed to the FFmpeg repository. The patch modifies the checkstreammax_drift function in avidec.c to prevent the integer overflow condition. Users should upgrade to a patched version of FFmpeg when available. For Ubuntu systems, the fix status varies by version, with some versions marked as vulnerable and requiring updates (Ubuntu, FFmpeg Commit).