In FFmpeg 2.4 and 3.3.3, the read_data function in libavformat/hls.c does not restrict reload attempts for an insufficient list, which allows remote attackers to cause a denial of service (infinite loop).
[ { "deprecated": false, "target": { "file": "libavformat/hls.c", "function": "read_data" }, "signature_type": "Function", "source": "https://github.com/ffmpeg/ffmpeg/commit/7ec414892ddcad88313848494b6fc5f437c9ca4a", "digest": { "length": 2424.0, "function_hash": "307616992488961155689353451593472058202" }, "id": "CVE-2017-14058-00bfb969", "signature_version": "v1" }, { "deprecated": false, "target": { "file": "libavformat/hls.c" }, "signature_type": "Line", "source": "https://github.com/ffmpeg/ffmpeg/commit/7ba100d3e6e8b1e5d5342feb960a7f081d6e15af", "digest": { "line_hashes": [ "304165080079877529652181346720074499131", "162067093324696288953250956199808354876", "14741327823679758051667399565703620663", "103528835990820388798780638136162256474", "212210046328153511575685196694234427974", "176073871505549656761287110408664618383", "30391042795318001125261069865418981873", "313142887063955675613583277320037644203", "199790939807906335678849154372936472953", "65697736203760585144547338555385364426", "137674149634999590985749251598179956159", "224622235900015262281358376059801374555", "12386283591187879730390212292236685420", "199246036475103184441872826726779780060", "115262420892497008388419261859858552489", "140305884192726122940432131855497107686" ], "threshold": 0.9 }, "id": "CVE-2017-14058-2210bb97", "signature_version": "v1" }, { "deprecated": false, "target": { "file": "libavformat/hls.c", "function": "read_data" }, "signature_type": "Function", "source": "https://github.com/ffmpeg/ffmpeg/commit/7ba100d3e6e8b1e5d5342feb960a7f081d6e15af", "digest": { "length": 2068.0, "function_hash": "321259516116468729858418046728872710930" }, "id": "CVE-2017-14058-22cc831c", "signature_version": "v1" }, { "deprecated": false, "target": { "file": "libavformat/hls.c" }, "signature_type": "Line", "source": "https://github.com/ffmpeg/ffmpeg/commit/7ec414892ddcad88313848494b6fc5f437c9ca4a", "digest": { "line_hashes": [ "188304760659666760334610689520730816561", "276758316171052682441557897754958225397", "63791673241347399776134849094345201559", "103528835990820388798780638136162256474", "212210046328153511575685196694234427974", "176073871505549656761287110408664618383", "30391042795318001125261069865418981873", "313142887063955675613583277320037644203", "199790939807906335678849154372936472953", "65697736203760585144547338555385364426", "60806949653493904052568925773388884442", "6971350420336912076190345485067875612", "12386283591187879730390212292236685420", "199246036475103184441872826726779780060", "115262420892497008388419261859858552489", "140305884192726122940432131855497107686" ], "threshold": 0.9 }, "id": "CVE-2017-14058-3227b939", "signature_version": "v1" } ]