CVE-2019-15296

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-15296
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-15296.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-15296
Downstream
Published
2019-08-21T07:15:10Z
Modified
2025-10-15T10:19:22.779959Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The faadresetbits function in libfaad/bits.c is affected by a buffer overflow vulnerability. The number of bits to be read is determined by ld->buffersize - words4, cast to uint32. If ld->buffer_size - words4 is negative, a buffer overflow is later performed via getdwordn(&ld->start[words], ld->bytesleft).

References

Affected packages

Git / github.com/knik0/faad2

Affected ranges

Type
GIT
Repo
https://github.com/knik0/faad2
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
942c3e0aee748ea6fe97cb2c1aa5893225316174

Affected versions

Other

2_8_0
2_8_1
2_8_2
2_8_3
2_8_4
2_8_5
2_8_6
2_8_7
2_8_8
FAAD2_2_5
FAAD2_2_7
FAAD2_2_7_1
arelease
ver_2_0

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "id": "CVE-2019-15296-4aefd7e4",
        "source": "https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "faad_resetbits",
            "file": "libfaad/bits.c"
        },
        "digest": {
            "function_hash": "124005640876210091824677984462777690187",
            "length": 745.0
        }
    },
    {
        "signature_type": "Function",
        "id": "CVE-2019-15296-5875c100",
        "source": "https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "excluded_channels",
            "file": "libfaad/syntax.c"
        },
        "digest": {
            "function_hash": "165736104238157740616725237501300890403",
            "length": 622.0
        }
    },
    {
        "signature_type": "Line",
        "id": "CVE-2019-15296-d7b852b1",
        "source": "https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "libfaad/syntax.c"
        },
        "digest": {
            "line_hashes": [
                "239380615314083555352035408016690435173",
                "147704977208189036895939348227306827051",
                "329365327040791695350858963688367662444",
                "216007562013221147565173244163313314080"
            ],
            "threshold": 0.9
        }
    },
    {
        "signature_type": "Line",
        "id": "CVE-2019-15296-fdd5e5d9",
        "source": "https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "libfaad/bits.c"
        },
        "digest": {
            "line_hashes": [
                "296485932489754999999010566109813086322",
                "251849693720230703288183735121492209136",
                "36364199145169944277639805905228073757",
                "82595847432278138315702463307550916764"
            ],
            "threshold": 0.9
        }
    }
]