CVE-2015-8363 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Ffmpeg

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer4 documents4 sources

Severity

6.8MEDIUMNVD

EPSS

0.5%

top 34.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ffmpeg Debian Ffmpeg

Timeline

PublishedNov 26

Latest updateMay 14

Description

The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does not enforce uniqueness of the SIZ marker in a JPEG 2000 image, which allows remote attackers to cause a denial of service (out-of-bounds heap-memory access) or possibly have unspecified other impact via a crafted image with two or more of these markers.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages3 packages

▶debiandebian/ffmpeg< ffmpeg 7:2.8.3-1 (bookworm)

▶Debianffmpeg/ffmpeg< 7:2.8.3-1+3

▶NVDffmpeg/ffmpeg7 versions+6

🔴Vulnerability Details

GHSA

GHSA-vwvh-8cf7-fc96: The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec↗2022-05-14

▶

OSV

CVE-2015-8363: The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec↗2015-11-26

▶

📋Vendor Advisories

Debian

CVE-2015-8363: ffmpeg - The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in FFmpeg be...↗2015

▶