Hi Diego,
I've had a look at CVE-2015-8216 and couldn't reproduce it with the
sample. Further investigations convinced me that we can safely consider
libav v0.8.21 & v9.21 as unaffected.
Further explanations below.
--
The issue described by CVE-2015-8216 occurs in the ljpeg_decode_yuv_scan
function (MJPEG decoder). This function is used to decode MJPEG data with
YUV or GREY color space.
The vulnerable code is not present in libav 0.8.21 / 9.21 (and, as far as
I am aware, not in any libav version) and has been introduced starting by
465eb0eb48a14f5308d7fa52c388e7be7170cc3e[0] in ffmpeg. It adds support
for 9 to 16-Bit YUV and GREY lossless jpegs.
libav only supports 8-Bit GREY/YUV, so the affected feature is not even
present in libav and I think we can safely consider it as unaffected.
Regards,
Hugo
[0] http://git.videolan.org/?p=ffmpeg.git;a=commit;h=465eb0eb48a14f5308d7fa52c388e7be7170cc3e
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
Attachment:
signature.asc
Description: PGP signature