{"id":"CVE-2017-9992","details":"Heap-based buffer overflow in the decode_dds1 function in libavcodec/dfa.c in FFmpeg before 2.8.12, 3.0.x before 3.0.8, 3.1.x before 3.1.8, 3.2.x before 3.2.5, and 3.3.x before 3.3.1 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file.","modified":"2026-04-16T01:47:11.287526089Z","published":"2017-06-28T06:29:00.487Z","references":[{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-4012"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/99319"},{"type":"ADVISORY","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1345"},{"type":"ADVISORY","url":"https://github.com/FFmpeg/FFmpeg/commit/f52fbf4f3ed02a7d872d8a102006f29b4421f360"},{"type":"REPORT","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1345"},{"type":"REPORT","url":"https://github.com/FFmpeg/FFmpeg/commit/f52fbf4f3ed02a7d872d8a102006f29b4421f360"},{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/f52fbf4f3ed02a7d872d8a102006f29b4421f360"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ffmpeg/ffmpeg","events":[{"introduced":"0"},{"fixed":"f52fbf4f3ed02a7d872d8a102006f29b4421f360"},{"introduced":"340cea9f22c162e10d120835661e132721b7454b"},{"fixed":"5d737a3d0ca2bf0f0c6170096d9d1ca230cf9ee0"},{"introduced":"c40983a6f631d22fede713d535bb9c31d5c9740c"},{"fixed":"b33d01d8a253028083df250b5d4a2e43e5560c64"},{"introduced":"efa89a841941bf61d1a3eb5c2900f98e3e7db85b"},{"fixed":"c1c50650df6cef69c392ad0d544c30e571e24214"},{"introduced":"fbc96c50d72f55131e43939e38c1e5af4315a755"},{"fixed":"9b9a620ce6983ea56a0b94501e4661d2ccf916d8"}]}],"versions":["n3.0","n3.0.1","n3.0.2","n3.0.3","n3.0.4","n3.0.5","n3.0.6","n3.0.7","n3.1","n3.1-dev","n3.1.1","n3.1.2","n3.1.3","n3.1.4","n3.1.5","n3.1.6","n3.1.7","n3.2","n3.2-dev","n3.2.1","n3.2.2","n3.2.3","n3.2.4","n3.3","n3.3-dev","n3.4-dev"],"database_specific":{"vanir_signatures":[{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["171761850885783161694918931923155613653","287454683090357633262522277026531572655","283892481322314227092797983348005820398","220739420317396261739711762453104130432"]},"target":{"file":"libavformat/tests/fifo_muxer.c"},"signature_version":"v1","id":"CVE-2017-9992-31eccf5a","source":"https://github.com/ffmpeg/ffmpeg/commit/5d737a3d0ca2bf0f0c6170096d9d1ca230cf9ee0","signature_type":"Line"},{"deprecated":false,"digest":{"length":1168,"function_hash":"173690714667852622426013926318516017828"},"target":{"function":"decode_dds1","file":"libavcodec/dfa.c"},"signature_version":"v1","id":"CVE-2017-9992-60fa412b","source":"https://github.com/ffmpeg/ffmpeg/commit/f52fbf4f3ed02a7d872d8a102006f29b4421f360","signature_type":"Function"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["49292181257551172576771973708726667050","51557325619138272839030920394370860057","143321983408069829629295156302111297253","168494076503263253939609218673331973402"]},"target":{"file":"libavcodec/dfa.c"},"signature_version":"v1","id":"CVE-2017-9992-a8b5c31e","source":"https://github.com/ffmpeg/ffmpeg/commit/f52fbf4f3ed02a7d872d8a102006f29b4421f360","signature_type":"Line"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-9992.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress","events":[{"introduced":"127fc5dcc66b799f47a84746cc3ea4dec694eff2"},{"fixed":"a67b6501e7e386f567d75c3abda3e5a0b70703cf"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-9992.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}