Bug 1034181 - (CVE-2017-7862) VUL-0: CVE-2017-7862: ffmpeg: heap-based buffer overflow (decode_frame function in libavcodec/pictordec.c)
VUL-0: CVE-2017-7862: ffmpeg: heap-based buffer overflow (decode_frame functi...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: unspecified
Assigned To: Jan Engelhardt
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2017-04-14 11:25 UTC by Mikhail Kasimov
Modified: 2021-09-11 02:35 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-04-14 11:25:44 UTC
Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-7862

FFmpeg before 2017-02-07 has an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame function in libavcodec/pictordec.c.

Source:  MITRE      Last Modified:  04/14/2017


[1] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=559

[2] https://github.com/FFmpeg/FFmpeg/commit/8c2ea3030af7b40a3c4275696fb5c76cdb80950a



3.2.4 (TW, 42.2, official repo)
2.8.8 (42.1, official repo)
Comment 1 Jan Engelhardt 2017-04-18 13:36:35 UTC
pictordec is not enabled in openSUSE.
Comment 2 Bernhard Wiedemann 2017-04-18 16:01:42 UTC
This is an autogenerated message for OBS integration:
This bug (1034181) was mentioned in
https://build.opensuse.org/request/show/489106 42.2 / ffmpeg
Comment 3 Swamp Workflow Management 2017-04-28 10:09:54 UTC
openSUSE-SU-2017:1121-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1022920,1022921,1022922,1034176,1034177,1034179,1034181,1034183
CVE References: CVE-2016-10190,CVE-2016-10191,CVE-2016-10192,CVE-2017-7859,CVE-2017-7862,CVE-2017-7863,CVE-2017-7865,CVE-2017-7866
Sources used:
openSUSE Leap 42.2 (src):    ffmpeg-3.3-6.6.1
Comment 4 Swamp Workflow Management 2018-07-18 14:40:43 UTC
This is an autogenerated message for OBS integration:
This bug (1034181) was mentioned in
https://build.opensuse.org/request/show/623663 15.0+42.3+Backports:SLE-12-SP2 / chromium+codec2+ffmpeg-2+ffmpeg-3+ffmpeg-4+libsodium+libvpx-1_6+zeromq