CVE-2017-9994

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2017-9994
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-9994.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2017-9994
Downstream
Related
Published
2017-06-28T06:29:00.550Z
Modified
2026-02-24T11:25:01.919036Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

libavcodec/webp.c in FFmpeg before 2.8.12, 3.0.x before 3.0.8, 3.1.x before 3.1.8, 3.2.x before 3.2.5, and 3.3.x before 3.3.1 does not ensure that pixfmt is set, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file, related to the vp8decodembrownofilter and pred8x8128dc8c functions.

References

Affected packages

Git / github.com/ffmpeg/ffmpeg

Affected ranges

Type
GIT
Repo
https://github.com/ffmpeg/ffmpeg
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef
Introduced
340cea9f22c162e10d120835661e132721b7454b
Fixed
5d737a3d0ca2bf0f0c6170096d9d1ca230cf9ee0
Introduced
c40983a6f631d22fede713d535bb9c31d5c9740c
Fixed
b33d01d8a253028083df250b5d4a2e43e5560c64
Introduced
efa89a841941bf61d1a3eb5c2900f98e3e7db85b
Fixed
c1c50650df6cef69c392ad0d544c30e571e24214
Introduced
fbc96c50d72f55131e43939e38c1e5af4315a755
Fixed
9b9a620ce6983ea56a0b94501e4661d2ccf916d8

Affected versions

n3.*
n3.0
n3.0.1
n3.0.2
n3.0.3
n3.0.4
n3.0.5
n3.0.6
n3.0.7
n3.1
n3.1-dev
n3.1.1
n3.1.2
n3.1.3
n3.1.4
n3.1.5
n3.1.6
n3.1.7
n3.2
n3.2-dev
n3.2.1
n3.2.2
n3.2.3
n3.2.4
n3.3
n3.3-dev
n3.4-dev

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-9994.json"
vanir_signatures 
[
    {
        "signature_type": "Function",
        "target": {
            "file": "libavcodec/webp.c",
            "function": "vp8_lossy_decode_frame"
        },
        "deprecated": false,
        "digest": {
            "length": 807.0,
            "function_hash": "63037889122877983806885686506885793535"
        },
        "id": "CVE-2017-9994-073ac825",
        "signature_version": "v1",
        "source": "https://github.com/ffmpeg/ffmpeg/commit/6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef"
    },
    {
        "signature_type": "Function",
        "target": {
            "file": "libavcodec/vp8.c",
            "function": "vp78_decode_frame"
        },
        "deprecated": false,
        "digest": {
            "length": 4741.0,
            "function_hash": "12811538007009368521768820160525171352"
        },
        "id": "CVE-2017-9994-0803633b",
        "signature_version": "v1",
        "source": "https://github.com/ffmpeg/ffmpeg/commit/6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef"
    },
    {
        "signature_type": "Line",
        "target": {
            "file": "libavcodec/vp8.c"
        },
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "59530602348887585127343468186882345762",
                "212201494289102489329007751342773101572",
                "17531334238279980247689878590253058405"
            ]
        },
        "id": "CVE-2017-9994-2789a265",
        "signature_version": "v1",
        "source": "https://github.com/ffmpeg/ffmpeg/commit/6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef"
    },
    {
        "signature_type": "Line",
        "target": {
            "file": "libavformat/tests/fifo_muxer.c"
        },
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "171761850885783161694918931923155613653",
                "287454683090357633262522277026531572655",
                "283892481322314227092797983348005820398",
                "220739420317396261739711762453104130432"
            ]
        },
        "id": "CVE-2017-9994-31eccf5a",
        "signature_version": "v1",
        "source": "https://github.com/ffmpeg/ffmpeg/commit/5d737a3d0ca2bf0f0c6170096d9d1ca230cf9ee0"
    },
    {
        "signature_type": "Line",
        "target": {
            "file": "libavcodec/webp.c"
        },
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "276775926823435890395552855712813588257",
                "329621359807923611954894778885133601440",
                "31770340694690976363564959590920458536",
                "140287423863305662298629688925795152162",
                "201153677553983936514563381634874476530",
                "84348492142917805256586395988190157211"
            ]
        },
        "id": "CVE-2017-9994-3d89ee6c",
        "signature_version": "v1",
        "source": "https://github.com/ffmpeg/ffmpeg/commit/6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef"
    }
]

Git / github.com/wordpress/wordpress

Affected ranges

Type
GIT
Repo
https://github.com/wordpress/wordpress
Events
Introduced
127fc5dcc66b799f47a84746cc3ea4dec694eff2
Fixed
a67b6501e7e386f567d75c3abda3e5a0b70703cf

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-9994.json"