Vulnerability Description
The av_color_primaries_name function in libavutil/pixdesc.c in FFmpeg 3.3.3 may return a NULL pointer depending on a value contained in a file, but callers do not anticipate this, as demonstrated by the avcodec_string function in libavcodec/utils.c, leading to a NULL pointer dereference. (It is also conceivable that there is security relevance for a NULL pointer dereference in av_color_primaries_name calls within the ffprobe command-line program.)
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ffmpeg | Ffmpeg | 3.3.3 |
Related Weaknesses (CWE)
References
- http://www.debian.org/security/2017/dsa-3996
- http://www.securityfocus.com/bid/100704Third Party AdvisoryVDB Entry
- https://github.com/FFmpeg/FFmpeg/commit/837cb4325b712ff1aab531bf41668933f61d75d2Issue TrackingPatchThird Party Advisory
- https://lists.ffmpeg.org/pipermail/ffmpeg-devel/2017-August/215198.htmlMailing ListPatchVendor Advisory
- http://www.debian.org/security/2017/dsa-3996
- http://www.securityfocus.com/bid/100704Third Party AdvisoryVDB Entry
- https://github.com/FFmpeg/FFmpeg/commit/837cb4325b712ff1aab531bf41668933f61d75d2Issue TrackingPatchThird Party Advisory
- https://lists.ffmpeg.org/pipermail/ffmpeg-devel/2017-August/215198.htmlMailing ListPatchVendor Advisory
FAQ
What is CVE-2017-14225?
CVE-2017-14225 is a vulnerability with a CVSS score of 8.8 (HIGH). The av_color_primaries_name function in libavutil/pixdesc.c in FFmpeg 3.3.3 may return a NULL pointer depending on a value contained in a file, but callers do not anticipate this, as demonstrated by t...
How severe is CVE-2017-14225?
CVE-2017-14225 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-14225?
Check the references section above for vendor advisories and patch information. Affected products include: Ffmpeg Ffmpeg.