[FFmpeg-devel] Question re: CVE-2019-15942 and ffmpeg 3.4.6
James Boyle
jboyle at quotient-inc.com
Thu Nov 14 22:31:00 EET 2019
Hello,
I was wondering if anyone can verify whether or not CVE-2019-15942
affects ffmpeg version 3.4.6. From trac ticket 8093
(https://trac.ffmpeg.org/ticket/8093), it looks like it was a
"regression since 992532ee3122d7938a7581988eea401b57de8189". I'm not
well versed with git, but running "git branch -r --contains
992532ee3122d7938a7581988eea401b57de8189" seems to suggest that that
commit is only included in "origin/HEAD -> origin/master",
"origin/master", and "origin/release/4.2". Additionally, the commit
that fixes the issue (af70bfbeadc0c9b9215cf045ff2a6a31e8ac3a71) seems to
include a pointer for a struct defined in current ffmpeg that is nowhere
to be found in ffmpeg 3.4.6 [static void alloc_rbsp_buffer(H2645RBSP
*rbsp, unsigned int size, int use_ref)].
I'm hopeful that all of this information adds up to CVE-2019-15942 not
affecting ffmpeg 3.4.6, but would be grateful if someone familiar with
the code would verify.
Thanks much!
--James
More information about the ffmpeg-devel
mailing list