Hello, I was wondering if anyone can verify whether or not CVE-2019-15942 affects ffmpeg version 3.4.6. From trac ticket 8093 (https://trac.ffmpeg.org/ticket/8093), it looks like it was a "regression since 992532ee3122d7938a7581988eea401b57de8189". I'm not well versed with git, but running "git branch -r --contains 992532ee3122d7938a7581988eea401b57de8189" seems to suggest that that commit is only included in "origin/HEAD -> origin/master", "origin/master", and "origin/release/4.2". Additionally, the commit that fixes the issue (af70bfbeadc0c9b9215cf045ff2a6a31e8ac3a71) seems to include a pointer for a struct defined in current ffmpeg that is nowhere to be found in ffmpeg 3.4.6 [static void alloc_rbsp_buffer(H2645RBSP *rbsp, unsigned int size, int use_ref)].
I'm hopeful that all of this information adds up to CVE-2019-15942 not affecting ffmpeg 3.4.6, but would be grateful if someone familiar with the code would verify. Thanks much! --James _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".