On Thu, Nov 14, 2019 at 9:31 PM James Boyle <jbo...@quotient-inc.com> wrote:
> Hello, > > I was wondering if anyone can verify whether or not CVE-2019-15942 > affects ffmpeg version 3.4.6. From trac ticket 8093 > (https://trac.ffmpeg.org/ticket/8093), it looks like it was a > "regression since 992532ee3122d7938a7581988eea401b57de8189". I'm not > well versed with git, but running "git branch -r --contains > 992532ee3122d7938a7581988eea401b57de8189" seems to suggest that that > commit is only included in "origin/HEAD -> origin/master", > "origin/master", and "origin/release/4.2". Additionally, the commit > that fixes the issue (af70bfbeadc0c9b9215cf045ff2a6a31e8ac3a71) seems to > include a pointer for a struct defined in current ffmpeg that is nowhere > to be found in ffmpeg 3.4.6 [static void alloc_rbsp_buffer(H2645RBSP > *rbsp, unsigned int size, int use_ref)]. > > I'm hopeful that all of this information adds up to CVE-2019-15942 not > affecting ffmpeg 3.4.6, but would be grateful if someone familiar with > the code would verify. > > Thanks much! > --James > You are right: It was not even in 4.1. Or in any of the earlier releases. - Andreas _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
