CVE-2017-9995
Publication date 28 June 2017
Last updated 25 August 2025
Ubuntu priority
Description
libavcodec/scpr.c in FFmpeg 3.3 before 3.3.1 does not properly validate height and width data, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| ffmpeg | ||
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
| libav | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty |
Not affected
|
Severity score breakdown
CVSS version: CVSS v3.0
Base score
7.8 · High
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References
Other references
- https://github.com/FFmpeg/FFmpeg/commit/2171dfae8c065878a2e130390eb78cf2947a5b69
- https://github.com/FFmpeg/FFmpeg/commit/7ac5067146613997bb38442cb022d7f41321a706
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1478
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1519
- https://www.cve.org/CVERecord?id=CVE-2017-9995