Hi Diego, I've had a look at CVE-2015-8216 and couldn't reproduce it with the sample. Further investigations convinced me that we can safely consider libav v0.8.21 & v9.21 as unaffected. Further explanations below. -- The issue described by CVE-2015-8216 occurs in the ljpeg_decode_yuv_scan function (MJPEG decoder). This function is used to decode MJPEG data with YUV or GREY color space. The vulnerable code is not present in libav 0.8.21 / 9.21 (and, as far as I am aware, not in any libav version) and has been introduced starting by 465eb0eb48a14f5308d7fa52c388e7be7170cc3e[0] in ffmpeg. It adds support for 9 to 16-Bit YUV and GREY lossless jpegs. libav only supports 8-Bit GREY/YUV, so the affected feature is not even present in libav and I think we can safely consider it as unaffected. Regards, Hugo [0] http://git.videolan.org/?p=ffmpeg.git;a=commit;h=465eb0eb48a14f5308d7fa52c388e7be7170cc3e -- Hugo Lefeuvre (hle) | www.owl.eu.com 4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
Attachment:
signature.asc
Description: PGP signature