PT-2017-13688 · FFmpeg+1 · Libbpg+2
Leonzhao7
·
Published
2017-09-27
·
Updated
2019-03-15
·
CVE-2017-14795
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
libbpg version 0.9.7
Description
The issue is related to the
hevc write frame function in libbpg.c, which allows remote attackers to cause a denial of service, resulting in an out-of-bounds read and application crash, or possibly have other unspecified impacts via a crafted BPG file. This is due to improper interaction with hls pcm sample in hevc.c and put pcm var in hevcdsp template.c, both in libavcodec in FFmpeg.Recommendations
For libbpg version 0.9.7, consider avoiding the use of the
hevc write frame function until a patch is available. As a temporary workaround, restrict the handling of crafted BPG files to minimize the risk of exploitation.Exploit
Fix
DoS
Out of bounds Read
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Libavcodec
Libbpg