Main Vulnerability Database SB2014030204

SB2014030204 - Multiple vulnerabilities in ffmpeg.sourceforge.net FFmpeg

Published: March 2, 2014 Updated: August 10, 2020

Security Bulletin ID SB2014030204

Severity

Medium

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2014-2097)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The tak_decode_frame function in libavcodec/takdec.c in FFmpeg before 2.1.4 does not properly validate a certain bits-per-sample value, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted TAK (aka Tom's lossless Audio Kompressor) data.

2) Buffer overflow (CVE-ID: CVE-2014-2098)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

libavcodec/wmalosslessdec.c in FFmpeg before 2.1.4 uses an incorrect data-structure size for certain coefficients, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted WMA data.

3) Input validation error (CVE-ID: CVE-2014-2099)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The msrle_decode_frame function in libavcodec/msrle.c in FFmpeg before 2.1.4 does not properly calculate line sizes, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Microsoft RLE video data.

Remediation

Install update from vendor's website.

SB2014030204 - Multiple vulnerabilities in ffmpeg.sourceforge.net FFmpeg

Breakdown by Severity

Description

Remediation

References