{"id":"CVE-2018-12460","details":"libavcodec in FFmpeg 4.0 may trigger a NULL pointer dereference if the studio profile is incorrectly detected while converting a crafted AVI file to MPEG4, leading to a denial of service, related to idctdsp.c and mpegvideo.c.","modified":"2026-02-24T11:26:10.678507Z","published":"2018-06-15T15:29:00.327Z","references":[{"type":"ADVISORY","url":"https://github.com/FFmpeg/FFmpeg/commit/b3332a182f8ba33a34542e4a0370f38b914ccf7d"},{"type":"REPORT","url":"https://github.com/FFmpeg/FFmpeg/commit/b3332a182f8ba33a34542e4a0370f38b914ccf7d"},{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/b3332a182f8ba33a34542e4a0370f38b914ccf7d"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ffmpeg/ffmpeg","events":[{"introduced":"0"},{"fixed":"b3332a182f8ba33a34542e4a0370f38b914ccf7d"}]}],"versions":["N","n0.11-dev","n0.12-dev","n0.8","n1.1-dev","n1.2-dev","n1.3-dev","n2.0","n2.1-dev","n2.2-dev","n2.3-dev","n2.4-dev","n2.5-dev","n2.6-dev","n2.7-dev","n2.8-dev","n2.9-dev","n3.1-dev","n3.2-dev","n3.3-dev","n3.4-dev","n3.5-dev","n4.1-dev"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-12460.json","vanir_signatures":[{"source":"https://github.com/ffmpeg/ffmpeg/commit/b3332a182f8ba33a34542e4a0370f38b914ccf7d","target":{"file":"libavcodec/mpegvideo.c"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["203287591705143062107314822259186818250","282324406643675235954044795659311484560","333694940045075628046426726534229330266","163351085974951288276078275623224076606"],"threshold":0.9},"signature_type":"Line","id":"CVE-2018-12460-33b6afd3"},{"source":"https://github.com/ffmpeg/ffmpeg/commit/b3332a182f8ba33a34542e4a0370f38b914ccf7d","target":{"function":"ff_idctdsp_init","file":"libavcodec/idctdsp.c"},"signature_version":"v1","deprecated":false,"digest":{"length":2672,"function_hash":"28671708147843153440469134798873711068"},"signature_type":"Function","id":"CVE-2018-12460-35b548de"},{"source":"https://github.com/ffmpeg/ffmpeg/commit/b3332a182f8ba33a34542e4a0370f38b914ccf7d","target":{"file":"libavcodec/idctdsp.c"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["126536519982937281418884318443799011247","250889362032603908287582132871077149337","290159734777921403366208928525488705450","260773072982675090556546599099380073658"],"threshold":0.9},"signature_type":"Line","id":"CVE-2018-12460-9110840e"},{"source":"https://github.com/ffmpeg/ffmpeg/commit/b3332a182f8ba33a34542e4a0370f38b914ccf7d","target":{"function":"ff_mpv_idct_init","file":"libavcodec/mpegvideo.c"},"signature_version":"v1","deprecated":false,"digest":{"length":750,"function_hash":"39856762836001306115006842251816044728"},"signature_type":"Function","id":"CVE-2018-12460-b8d9faf7"},{"source":"https://github.com/ffmpeg/ffmpeg/commit/b3332a182f8ba33a34542e4a0370f38b914ccf7d","target":{"file":"libavcodec/idctdsp.h"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["130799097354866713191710292741187585976","256346152185321240798215610385516487639","73658507746507163792722605294300294903","73753474191504460849366634306293844425"],"threshold":0.9},"signature_type":"Line","id":"CVE-2018-12460-f62ef0ba"}]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}