CVE-2017-14225 — NULL Pointer Dereference in Ffmpeg

CWE-476 — NULL Pointer Dereference4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.4%

top 42.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ffmpeg Debian Ffmpeg

Timeline

PublishedSep 9

Latest updateMay 17

Description

The av_color_primaries_name function in libavutil/pixdesc.c in FFmpeg 3.3.3 may return a NULL pointer depending on a value contained in a file, but callers do not anticipate this, as demonstrated by the avcodec_string function in libavcodec/utils.c, leading to a NULL pointer dereference. (It is also conceivable that there is security relevance for a NULL pointer dereference in av_color_primaries_name calls within the ffprobe command-line program.)

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/ffmpeg< ffmpeg 7:3.3.4-1 (bookworm)

▶Debianffmpeg/ffmpeg< 7:3.3.4-1+3

▶NVDffmpeg/ffmpeg3.3.3

Patches

Patch: github.com ↗Patch: lists.ffmpeg.org ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-27fw-6hp8-fgww: The av_color_primaries_name function in libavutil/pixdesc↗2022-05-17

▶

OSV

CVE-2017-14225: The av_color_primaries_name function in libavutil/pixdesc↗2017-09-09

▶

📋Vendor Advisories

Debian

CVE-2017-14225: ffmpeg - The av_color_primaries_name function in libavutil/pixdesc.c in FFmpeg 3.3.3 may ...↗2017

▶