{"id":"CVE-2019-17542","details":"FFmpeg before 4.2 has a heap-based buffer overflow in vqa_decode_chunk because of an out-of-array access in vqa_decode_init in libavcodec/vqavideo.c.","modified":"2026-04-15T23:59:53.615286527Z","published":"2019-10-14T02:15:10.780Z","related":["SUSE-SU-2019:3184-1","SUSE-SU-2019:3184-2"],"references":[{"type":"ADVISORY","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15919"},{"type":"ADVISORY","url":"https://github.com/FFmpeg/FFmpeg/commit/02f909dc24b1f05cfbba75077c7707b905e63cd2"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/12/msg00003.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00022.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202003-65"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4431-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4722"},{"type":"REPORT","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15919"},{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/02f909dc24b1f05cfbba75077c7707b905e63cd2"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2019/12/msg00003.html"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.ffmpeg.org/ffmpeg.git","events":[{"introduced":"0"},{"fixed":"f93e026b642431e796775345df2483ae283283f2"},{"introduced":"22b0daa1b3f0ac5d91cc1a057d230995590847cd"},{"fixed":"289a79d545e83a97f5cdd00b28ce70638dae53e8"},{"introduced":"340cea9f22c162e10d120835661e132721b7454b"},{"fixed":"37a8ad9a3167923d500910031a8086489c004d83"},{"introduced":"3c1ecb057d7621e57968624aa15ad3e9efc819f7"},{"fixed":"4521700f295f35da4768f88b570e0836a858ce7b"},{"introduced":"ace829cb45cff530b8a0aed6adf18f329d7a98f6"},{"fixed":"26e1d0d015bb11ab0383729c52cfca4fd9cf4e79"}]}],"versions":["n3.2","n3.2-dev","n3.2.1","n3.2.10","n3.2.11","n3.2.12","n3.2.13","n3.2.14","n3.2.2","n3.2.3","n3.2.4","n3.2.5","n3.2.6","n3.2.7","n3.2.8","n3.2.9","n3.4","n3.4-dev","n3.4.1","n3.4.2","n3.4.3","n3.4.4","n3.4.5","n3.4.6","n3.5-dev","n4.0","n4.0.1","n4.0.2","n4.0.3","n4.0.4","n4.1","n4.1-dev","n4.1.1","n4.1.2","n4.1.3","n4.1.4"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-17542.json"}},{"ranges":[{"type":"GIT","repo":"https://gitlab.com/libtiff/libtiff","events":[{"introduced":"f7b79dc7dc86ccbaabe9882e2b9ffa5ee8dac917"},{"fixed":"e9b10efff946139452f7b6252030c63e690cba6c"}]}],"versions":["v4.0.0","v4.0.1","v4.0.2","v4.0.3","v4.0.4","v4.0.4beta"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-17542.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}