Bug 1034183 - (CVE-2017-7859) VUL-0: CVE-2017-7859: ffmpeg: heap-based buffer overflow (ff_h264_slice_context_init function in libavcodec/h264dec.c)
VUL-0: CVE-2017-7859: ffmpeg: heap-based buffer overflow (ff_h264_slice_conte...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: unspecified
Assigned To: Jan Engelhardt
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2017-04-14 11:31 UTC by Mikhail Kasimov
Modified: 2021-09-11 02:35 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-04-14 11:31:26 UTC
Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-7859

FFmpeg before 2017-03-05 has an out-of-bounds write caused by a heap-based buffer overflow related to the ff_h264_slice_context_init function in libavcodec/h264dec.c.

Source:  MITRE      Last Modified:  04/14/2017


[1] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=713

Due to https://oss-fuzz.com/revisions?job=libfuzzer_asan_ffmpeg&range=201703011717:201703020000 from [1] the fix commit is https://github.com/FFmpeg/FFmpeg/commit/70ebc05bce51215cd0857194d6cabf1e4d1440fb



3.2.4 (TW, 42.2, official repo)
2.8.8 (42.1, official repo)
Comment 1 Jan Engelhardt 2017-04-18 14:00:48 UTC
openSUSE does not build libavcodec/h264dec.c.
Comment 2 Bernhard Wiedemann 2017-04-18 16:01:47 UTC
This is an autogenerated message for OBS integration:
This bug (1034183) was mentioned in
https://build.opensuse.org/request/show/489106 42.2 / ffmpeg
Comment 3 Swamp Workflow Management 2017-04-28 10:10:04 UTC
openSUSE-SU-2017:1121-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1022920,1022921,1022922,1034176,1034177,1034179,1034181,1034183
CVE References: CVE-2016-10190,CVE-2016-10191,CVE-2016-10192,CVE-2017-7859,CVE-2017-7862,CVE-2017-7863,CVE-2017-7865,CVE-2017-7866
Sources used:
openSUSE Leap 42.2 (src):    ffmpeg-3.3-6.6.1
Comment 4 Swamp Workflow Management 2018-07-18 14:40:47 UTC
This is an autogenerated message for OBS integration:
This bug (1034183) was mentioned in
https://build.opensuse.org/request/show/623663 15.0+42.3+Backports:SLE-12-SP2 / chromium+codec2+ffmpeg-2+ffmpeg-3+ffmpeg-4+libsodium+libvpx-1_6+zeromq