[FFmpeg-devel] Question re: CVE-2019-15942 and ffmpeg 3.4.6
Andreas Rheinhardt
andreas.rheinhardt at gmail.com
Thu Nov 14 22:39:06 EET 2019
On Thu, Nov 14, 2019 at 9:31 PM James Boyle <jboyle at quotient-inc.com> wrote:
> Hello,
>
> I was wondering if anyone can verify whether or not CVE-2019-15942
> affects ffmpeg version 3.4.6. From trac ticket 8093
> (https://trac.ffmpeg.org/ticket/8093), it looks like it was a
> "regression since 992532ee3122d7938a7581988eea401b57de8189". I'm not
> well versed with git, but running "git branch -r --contains
> 992532ee3122d7938a7581988eea401b57de8189" seems to suggest that that
> commit is only included in "origin/HEAD -> origin/master",
> "origin/master", and "origin/release/4.2". Additionally, the commit
> that fixes the issue (af70bfbeadc0c9b9215cf045ff2a6a31e8ac3a71) seems to
> include a pointer for a struct defined in current ffmpeg that is nowhere
> to be found in ffmpeg 3.4.6 [static void alloc_rbsp_buffer(H2645RBSP
> *rbsp, unsigned int size, int use_ref)].
>
> I'm hopeful that all of this information adds up to CVE-2019-15942 not
> affecting ffmpeg 3.4.6, but would be grateful if someone familiar with
> the code would verify.
>
> Thanks much!
> --James
>
You are right: It was not even in 4.1. Or in any of the earlier releases.
- Andreas
More information about the ffmpeg-devel
mailing list