{"id":"CVE-2017-9994","details":"libavcodec/webp.c in FFmpeg before 2.8.12, 3.0.x before 3.0.8, 3.1.x before 3.1.8, 3.2.x before 3.2.5, and 3.3.x before 3.3.1 does not ensure that pix_fmt is set, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file, related to the vp8_decode_mb_row_no_filter and pred8x8_128_dc_8_c functions.","modified":"2026-04-16T01:47:56.526266011Z","published":"2017-06-28T06:29:00.550Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/99317"},{"type":"ADVISORY","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1434"},{"type":"ADVISORY","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1435"},{"type":"ADVISORY","url":"https://github.com/FFmpeg/FFmpeg/commit/6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html"},{"type":"REPORT","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1434"},{"type":"REPORT","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1435"},{"type":"REPORT","url":"https://github.com/FFmpeg/FFmpeg/commit/6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef"},{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ffmpeg/ffmpeg","events":[{"introduced":"0"},{"fixed":"6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef"},{"introduced":"340cea9f22c162e10d120835661e132721b7454b"},{"fixed":"5d737a3d0ca2bf0f0c6170096d9d1ca230cf9ee0"},{"introduced":"c40983a6f631d22fede713d535bb9c31d5c9740c"},{"fixed":"b33d01d8a253028083df250b5d4a2e43e5560c64"},{"introduced":"efa89a841941bf61d1a3eb5c2900f98e3e7db85b"},{"fixed":"c1c50650df6cef69c392ad0d544c30e571e24214"},{"introduced":"fbc96c50d72f55131e43939e38c1e5af4315a755"},{"fixed":"9b9a620ce6983ea56a0b94501e4661d2ccf916d8"}]}],"versions":["n3.0","n3.0.1","n3.0.2","n3.0.3","n3.0.4","n3.0.5","n3.0.6","n3.0.7","n3.1","n3.1-dev","n3.1.1","n3.1.2","n3.1.3","n3.1.4","n3.1.5","n3.1.6","n3.1.7","n3.2","n3.2-dev","n3.2.1","n3.2.2","n3.2.3","n3.2.4","n3.3","n3.3-dev","n3.4-dev"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-9994.json","vanir_signatures":[{"id":"CVE-2017-9994-073ac825","digest":{"function_hash":"63037889122877983806885686506885793535","length":807},"target":{"function":"vp8_lossy_decode_frame","file":"libavcodec/webp.c"},"source":"https://github.com/ffmpeg/ffmpeg/commit/6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef","deprecated":false,"signature_version":"v1","signature_type":"Function"},{"target":{"function":"vp78_decode_frame","file":"libavcodec/vp8.c"},"source":"https://github.com/ffmpeg/ffmpeg/commit/6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef","id":"CVE-2017-9994-0803633b","digest":{"function_hash":"12811538007009368521768820160525171352","length":4741},"deprecated":false,"signature_version":"v1","signature_type":"Function"},{"id":"CVE-2017-9994-2789a265","digest":{"threshold":0.9,"line_hashes":["59530602348887585127343468186882345762","212201494289102489329007751342773101572","17531334238279980247689878590253058405"]},"target":{"file":"libavcodec/vp8.c"},"source":"https://github.com/ffmpeg/ffmpeg/commit/6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef","deprecated":false,"signature_version":"v1","signature_type":"Line"},{"id":"CVE-2017-9994-31eccf5a","digest":{"threshold":0.9,"line_hashes":["171761850885783161694918931923155613653","287454683090357633262522277026531572655","283892481322314227092797983348005820398","220739420317396261739711762453104130432"]},"target":{"file":"libavformat/tests/fifo_muxer.c"},"source":"https://github.com/ffmpeg/ffmpeg/commit/5d737a3d0ca2bf0f0c6170096d9d1ca230cf9ee0","deprecated":false,"signature_version":"v1","signature_type":"Line"},{"digest":{"threshold":0.9,"line_hashes":["276775926823435890395552855712813588257","329621359807923611954894778885133601440","31770340694690976363564959590920458536","140287423863305662298629688925795152162","201153677553983936514563381634874476530","84348492142917805256586395988190157211"]},"deprecated":false,"target":{"file":"libavcodec/webp.c"},"source":"https://github.com/ffmpeg/ffmpeg/commit/6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef","id":"CVE-2017-9994-3d89ee6c","signature_version":"v1","signature_type":"Line"}]}},{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress","events":[{"introduced":"127fc5dcc66b799f47a84746cc3ea4dec694eff2"},{"fixed":"a67b6501e7e386f567d75c3abda3e5a0b70703cf"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-9994.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}