← Signals
- ffmpeg
- rasc
- heap
- exploitarium
news
FFmpeg RASC DLTA Heap OOB Write Calc PoC
Crafted RASC bitstream in AVI/RIFF overwrites adjacent callback pointer in PAL8 one-row decode — Calculator proof on upstream master.
Summary
Crafted RASC bitstream in AVI/RIFF overwrites adjacent callback pointer in PAL8 one-row decode — Calculator proof on upstream master. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.
Key Findings
| Finding | Detail |
|---|---|
| Product / target | FFmpeg master @ bcd2c69e087a (2026-06-26) |
| Primitive | decode_dlta() 32-bit write past 64-byte PAL8 row |
| Impact | Heap corruption → hijacked get_buffer2 callback → arbitrary native code execution in decoder process. |
Attack Chain
Craft RASC packet → decode_dlta run type 7 → redirect callback → calc_callback
Mitigation
Track FFmpeg security releases; sandbox transcoding of untrusted media.