OFFSITE.DARK
← Signals

Jun 29, 2026

1 min

Sploitus / Exploitarium

  • ffmpeg
  • rasc
  • heap
  • exploitarium

news

FFmpeg RASC DLTA Heap OOB Write Calc PoC

Crafted RASC bitstream in AVI/RIFF overwrites adjacent callback pointer in PAL8 one-row decode — Calculator proof on upstream master.

Summary

Crafted RASC bitstream in AVI/RIFF overwrites adjacent callback pointer in PAL8 one-row decode — Calculator proof on upstream master. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / targetFFmpeg master @ bcd2c69e087a (2026-06-26)
Primitivedecode_dlta() 32-bit write past 64-byte PAL8 row
ImpactHeap corruption → hijacked get_buffer2 callback → arbitrary native code execution in decoder process.

Attack Chain

Craft RASC packet → decode_dlta run type 7 → redirect callback → calc_callback

Mitigation

Track FFmpeg security releases; sandbox transcoding of untrusted media.

Related Signals

Sources

→ Source