CVE-2019-15296

Source
https://nvd.nist.gov/vuln/detail/CVE-2019-15296
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-15296.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-15296
Downstream
Published
2019-08-21T07:15:10Z
Modified
2025-09-19T10:35:20.486811Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The faadresetbits function in libfaad/bits.c is affected by a buffer overflow vulnerability. The number of bits to be read is determined by ld->buffersize - words4, cast to uint32. If ld->buffer_size - words4 is negative, a buffer overflow is later performed via getdwordn(&ld->start[words], ld->bytesleft).

References

Affected packages

Alpine:v3.10

faad2

Package

Name
faad2
Purl
pkg:apk/alpine/faad2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.0-r0

Affected versions

2.*

2.7-r0
2.7-r1
2.7-r2
2.7-r3
2.7-r4
2.7-r5
2.7-r6
2.7-r7
2.7-r8
2.8.8-r0

Alpine:v3.11

faad2

Package

Name
faad2
Purl
pkg:apk/alpine/faad2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.0-r0

Affected versions

2.*

2.7-r0
2.7-r1
2.7-r2
2.7-r3
2.7-r4
2.7-r5
2.7-r6
2.7-r7
2.7-r8
2.8.8-r0

Alpine:v3.7

faad2

Package

Name
faad2
Purl
pkg:apk/alpine/faad2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.0-r0

Affected versions

2.*

2.7-r0
2.7-r1
2.7-r2
2.7-r3
2.7-r4
2.7-r5
2.7-r6
2.7-r7

Alpine:v3.8

faad2

Package

Name
faad2
Purl
pkg:apk/alpine/faad2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.0-r0

Affected versions

2.*

2.7-r0
2.7-r1
2.7-r2
2.7-r3
2.7-r4
2.7-r5
2.7-r6
2.7-r7
2.7-r8

Alpine:v3.9

faad2

Package

Name
faad2
Purl
pkg:apk/alpine/faad2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.0-r0

Affected versions

2.*

2.7-r0
2.7-r1
2.7-r2
2.7-r3
2.7-r4
2.7-r5
2.7-r6
2.7-r7
2.7-r8

Git

github.com/knik0/faad2

Affected ranges

Type
GIT
Repo
https://github.com/knik0/faad2
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

Other

2_8_0
2_8_1
2_8_2
2_8_3
2_8_4
2_8_5
2_8_6
2_8_7
2_8_8
FAAD2_2_5
FAAD2_2_7
FAAD2_2_7_1
arelease
ver_2_0

Database specific

{
    "vanir_signatures": [
        {
            "digest": {
                "function_hash": "124005640876210091824677984462777690187",
                "length": 745.0
            },
            "id": "CVE-2019-15296-4aefd7e4",
            "source": "https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174",
            "signature_type": "Function",
            "signature_version": "v1",
            "target": {
                "file": "libfaad/bits.c",
                "function": "faad_resetbits"
            },
            "deprecated": false
        },
        {
            "digest": {
                "function_hash": "165736104238157740616725237501300890403",
                "length": 622.0
            },
            "id": "CVE-2019-15296-5875c100",
            "source": "https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174",
            "signature_type": "Function",
            "signature_version": "v1",
            "target": {
                "file": "libfaad/syntax.c",
                "function": "excluded_channels"
            },
            "deprecated": false
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "239380615314083555352035408016690435173",
                    "147704977208189036895939348227306827051",
                    "329365327040791695350858963688367662444",
                    "216007562013221147565173244163313314080"
                ]
            },
            "id": "CVE-2019-15296-d7b852b1",
            "source": "https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174",
            "signature_type": "Line",
            "signature_version": "v1",
            "target": {
                "file": "libfaad/syntax.c"
            },
            "deprecated": false
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "296485932489754999999010566109813086322",
                    "251849693720230703288183735121492209136",
                    "36364199145169944277639805905228073757",
                    "82595847432278138315702463307550916764"
                ]
            },
            "id": "CVE-2019-15296-fdd5e5d9",
            "source": "https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174",
            "signature_type": "Line",
            "signature_version": "v1",
            "target": {
                "file": "libfaad/bits.c"
            },
            "deprecated": false
        }
    ]
}