Peng Deng

**Name of the Vulnerable Software and Affected Versions** p7zip version 16.02 **Description** A heap-buffer-overflow issue was discovered in the function `NArchive::NZip::CInArchive::FindCd(bool)` at `CPP/7zip/Archive/Zip/ZipIn.cpp`. This issue affects the `p7zip` software. **Recommendations** For p7zip version 16.02, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Libde265 versions 1.0.8 **Description** The issue is related to a heap-buffer-overflow vulnerability via the `ff hevc put weighted pred avg 8 sse` function in `sse-motion.cc`. This allows attackers to cause a Denial of Service (DoS) via a crafted video file. The vulnerability is associated with the Libde265 video codec implementation of h.265. **Recommendations** For Libde265 version 1.0.8, update to version 1.0.11 to fix the security issue. As a temporary workaround, consider avoiding the use of the `ff hevc put weighted pred avg 8 sse` function until a patch is available. Restrict access to crafted video files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Libde265 versions 1.0.8 **Description** The issue is related to a heap-buffer-overflow vulnerability via the `mc luma` function in motion.cc, which allows attackers to cause a Denial of Service (DoS) via a crafted video file. This vulnerability is associated with the processing of `unsigned char` data type and can be exploited by a remote attacker. **Recommendations** For Libde265 version 1.0.8, update to version 1.0.11 to fix the security issue. As a temporary workaround, consider restricting the use of the `mc luma` function in motion.cc to minimize the risk of exploitation. Avoid using the `mc luma` function with crafted video files until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Libde265 versions 1.0.8 **Description** The issue is related to a stack-buffer-overflow in the `put epel hv fallback()` function when handling `unsigned short` data types. This allows attackers to cause a Denial of Service (DoS) via a crafted video file. The vulnerability can be exploited by a remote attacker. **Recommendations** For Libde265 version 1.0.8, update to version 1.0.11 to fix the security issue. As a temporary workaround, consider disabling the `put epel hv fallback()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Libde265 version 1.0.8 **Description** The issue is related to a stack-buffer-overflow vulnerability via the `put qpel fallback()` function in `fallback-motion.cc`, which can be exploited by attackers to cause a Denial of Service (DoS) using a crafted video file. This vulnerability is associated with the `unsigned short` data type and can be triggered by a remote attacker. **Recommendations** For Libde265 version 1.0.8, update to version 1.0.11 to fix the security issues. As a temporary workaround, consider disabling the `put qpel fallback()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Libde265 version 1.0.8 **Description** The issue is related to the `ff hevc put hevc qpel h 3 v 3 sse()` function in the Libde265 video codec implementation, which can cause a buffer overflow in memory. This can be exploited by a remote attacker using a specially crafted video file to cause a Denial of Service (DoS). The vulnerability allows attackers to cause a crash via the `ff hevc put hevc qpel h 3 v 3 sse()` function in `sse-motion.cc`. **Recommendations** For Libde265 version 1.0.8, update to version 1.0.11 to fix the security issue. As a temporary workaround, consider disabling the `ff hevc put hevc qpel h 3 v 3 sse()` function until a patch is available. Restrict access to the `sse-motion.cc` module to minimize the risk of exploitation. Avoid using crafted video files that can trigger the Denial of Service (DoS) until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** libde265 versions prior to 1.0.11 **Description** The issue is related to a heap-buffer-overflow in the `mc chroma` function within the `motion.cc` component of the libde265 video codec implementation. This allows attackers to cause a Denial of Service (DoS) by using a crafted video file. **Recommendations** For versions prior to 1.0.11, update to version 1.0.11 to fix the security issue.

**Name of the Vulnerable Software and Affected Versions** Libde265 versions 1.0.8 **Description** The issue is related to a heap-buffer-overflow vulnerability via the `put qpel fallback<unsigned short>` function in fallback-motion.cc. This allows attackers to cause a Denial of Service (DoS) via a crafted video file. The vulnerability is associated with a buffer overflow in the h.265 video codec implementation. **Recommendations** For Libde265 version 1.0.8, update to version 1.0.11 to fix the security issue. As a temporary workaround, consider restricting the use of the `put qpel fallback` function in fallback-motion.cc to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Libde265 version 1.0.8 **Description** The issue is related to a segmentation violation via the `apply sao internal` function in sao.cc, which can be exploited to cause a Denial of Service (DoS) by using a crafted video file. This can be achieved by an attacker acting remotely. The vulnerability is associated with a buffer overflow in the `apply sao internal<unsigned short>` function. **Recommendations** For Libde265 version 1.0.8, consider updating to version 1.0.11 to fix the security issues. As a temporary workaround, consider restricting the use of the `apply sao internal` function in sao.cc to minimize the risk of exploitation. Avoid using crafted video files that could trigger the Denial of Service (DoS) until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Libde265 version 1.0.8 **Description** The issue is related to a heap-buffer-overflow vulnerability via the `put epel hv fallback` function in `fallback-motion.cc`. This allows attackers to cause a Denial of Service (DoS) via a crafted video file. The vulnerability is associated with a buffer overflow, which can be exploited by a remote attacker using a specially crafted file. **Recommendations** For Libde265 version 1.0.8, consider updating to version 1.0.11 or later to fix the security issue. As a temporary workaround, consider restricting the use of the `put epel hv fallback` function in `fallback-motion.cc` to minimize the risk of exploitation. Avoid using crafted video files that could trigger the Denial of Service (DoS) until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GPAC version 2.1-DEV-rev368-gfd054169b-master **Description** A memory leak was discovered in GPAC via the component `gf odf new iod` at `odf/odf code.c`. This issue affects the specified version of GPAC. **Recommendations** For GPAC version 2.1-DEV-rev368-gfd054169b-master, consider restricting access to the `gf odf new iod` component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GPAC version 2.1-DEV-rev368-gfd054169b-master **Description** A memory leak was discovered in GPAC via the component `gf list new` at `utils/list.c`. **Recommendations** For GPAC version 2.1-DEV-rev368-gfd054169b-master, consider restricting access to the `gf list new` component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.