[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

CVE-2015-8216 (libav)

Hi Diego,

I've had a look at CVE-2015-8216 and couldn't reproduce it with the
sample. Further investigations convinced me that we can safely consider
libav v0.8.21 & v9.21 as unaffected.

Further explanations below.


The issue described by CVE-2015-8216 occurs in the ljpeg_decode_yuv_scan
function (MJPEG decoder). This function is used to decode MJPEG data with
YUV or GREY color space.

The vulnerable code is not present in libav 0.8.21 / 9.21 (and, as far as
I am aware, not in any libav version) and has been introduced starting by
465eb0eb48a14f5308d7fa52c388e7be7170cc3e[0] in ffmpeg. It adds support
for 9 to 16-Bit YUV and GREY lossless jpegs.

libav only supports 8-Bit GREY/YUV, so the affected feature is not even
present in libav and I think we can safely consider it as unaffected.

[0] http://git.videolan.org/?p=ffmpeg.git;a=commit;h=465eb0eb48a14f5308d7fa52c388e7be7170cc3e

             Hugo Lefeuvre (hle)    |    www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA

Attachment: signature.asc
Description: PGP signature

Reply to: