SB2013022702 - Multiple vulnerabilities in ffmpeg.sourceforge.net FFmpeg 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2013022702

SB2013022702 - Multiple vulnerabilities in ffmpeg.sourceforge.net FFmpeg

Published: February 27, 2013 Updated: August 11, 2020

Security Bulletin ID SB2013022702
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2013-2276)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The avcodec_decode_audio4 function in utils.c in libavcodec in FFmpeg before 1.1.3 does not verify the decoding state before proceeding with certain skip operations, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted audio data.


2) Input validation error (CVE-ID: CVE-2013-2277)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The ff_h264_decode_seq_parameter_set function in h264_ps.c in libavcodec in FFmpeg before 1.1.3 does not validate the relationship between luma depth and chroma depth, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted H.264 data.


Remediation

Install update from vendor's website.

References