{"id":"CVE-2017-9992","details":"Heap-based buffer overflow in the decode_dds1 function in libavcodec/dfa.c in FFmpeg before 2.8.12, 3.0.x before 3.0.8, 3.1.x before 3.1.8, 3.2.x before 3.2.5, and 3.3.x before 3.3.1 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file.","modified":"2026-07-08T14:13:18.876296Z","published":"2017-06-28T06:29:00.487Z","database_specific":{"unresolved_ranges":[{"source":"CPE_STRING","cpes":["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"],"vendor_product":"debian:debian_linux","extracted_events":[{"introduced":"8.0"},{"last_affected":"8.0"}]}]},"references":[{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-4012"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/99319"},{"type":"REPORT","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1345"},{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/f52fbf4f3ed02a7d872d8a102006f29b4421f360"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.ffmpeg.org/ffmpeg.git","events":[{"introduced":"0"},{"fixed":"ffab459e4e491384756cf8bae0f3922c5e4f6271"},{"introduced":"c40983a6f631d22fede713d535bb9c31d5c9740c"},{"fixed":"b33d01d8a253028083df250b5d4a2e43e5560c64"},{"introduced":"fbc96c50d72f55131e43939e38c1e5af4315a755"},{"fixed":"9b9a620ce6983ea56a0b94501e4661d2ccf916d8"},{"introduced":"340cea9f22c162e10d120835661e132721b7454b"},{"fixed":"5d737a3d0ca2bf0f0c6170096d9d1ca230cf9ee0"},{"introduced":"efa89a841941bf61d1a3eb5c2900f98e3e7db85b"},{"fixed":"c1c50650df6cef69c392ad0d544c30e571e24214"}],"database_specific":{"source":"CPE_RANGE","cpe":"cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"2.8.12"},{"introduced":"3.0"},{"fixed":"3.0.8"},{"introduced":"3.1"},{"fixed":"3.1.8"},{"introduced":"3.2"},{"fixed":"3.2.5"},{"introduced":"3.3"},{"fixed":"3.3.1"}]}}],"versions":["n3.3","n3.2.4","n2.8.11","n3.0.7","n3.1.7","n3.2.3","n3.0.6","n2.8.10","n3.0.5","n3.2.2","n3.1.6","n2.8.9","n3.2.1","n3.1.5","n3.0.4","n3.2","n3.3-dev","n3.1.4","n3.0.3","n2.8.8","n3.1.3","n3.1.2","n2.8.7","n3.1.1","n3.1","n3.2-dev","n3.0.2","n3.0.1","n3.0","n3.1-dev","n2.8.6","n2.8.5","n2.8.4","n2.8.3","n2.8.2","n2.8.1","n2.8","n2.8-dev","n2.7-dev","n2.6-dev","n2.5-dev","n2.4-dev","n2.3-dev","n2.2-dev","n2.0","n2.1-dev","n1.3-dev","n1.2-dev","n1.1-dev","n0.12-dev","n0.11-dev","n0.8","N"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9992.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/ffmpeg/ffmpeg","events":[{"introduced":"0"},{"fixed":"ffab459e4e491384756cf8bae0f3922c5e4f6271"},{"introduced":"c40983a6f631d22fede713d535bb9c31d5c9740c"},{"fixed":"b33d01d8a253028083df250b5d4a2e43e5560c64"},{"introduced":"fbc96c50d72f55131e43939e38c1e5af4315a755"},{"fixed":"9b9a620ce6983ea56a0b94501e4661d2ccf916d8"},{"introduced":"340cea9f22c162e10d120835661e132721b7454b"},{"fixed":"5d737a3d0ca2bf0f0c6170096d9d1ca230cf9ee0"},{"introduced":"efa89a841941bf61d1a3eb5c2900f98e3e7db85b"},{"fixed":"c1c50650df6cef69c392ad0d544c30e571e24214"},{"fixed":"f52fbf4f3ed02a7d872d8a102006f29b4421f360"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"2.8.12"},{"introduced":"3.0"},{"fixed":"3.0.8"},{"introduced":"3.1"},{"fixed":"3.1.8"},{"introduced":"3.2"},{"fixed":"3.2.5"},{"introduced":"3.3"},{"fixed":"3.3.1"}]}}],"versions":["n3.3","n3.4-dev","n3.2.4","n2.8.11","n3.0.7","n3.1.7","n3.2.3","n3.0.6","n2.8.10","n3.0.5","n3.2.2","n3.1.6","n2.8.9","n3.2.1","n3.1.5","n3.0.4","n3.2","n3.3-dev","n3.1.4","n3.0.3","n2.8.8","n3.1.3","n3.1.2","n2.8.7","n3.1.1","n3.1","n3.2-dev","n3.0.2","n3.0.1","n3.0","n3.1-dev","n2.8.6","n2.8.5","n2.8.4","n2.8.3","n2.8.2","n2.8.1","n2.8","n2.8-dev","n2.7-dev","n2.6-dev","n2.5-dev","n2.4-dev","n2.3-dev","n2.2-dev","n2.0","n2.1-dev","n1.3-dev","n1.2-dev","n1.1-dev","n0.12-dev","n0.11-dev","n0.8","N"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9992.json","vanir_signatures_modified":"2026-07-08T14:13:18Z","vanir_signatures":[{"source":"https://github.com/ffmpeg/ffmpeg/commit/5d737a3d0ca2bf0f0c6170096d9d1ca230cf9ee0","digest":{"threshold":0.9,"line_hashes":["171761850885783161694918931923155613653","287454683090357633262522277026531572655","283892481322314227092797983348005820398","220739420317396261739711762453104130432"]},"signature_version":"v1","deprecated":false,"id":"CVE-2017-9992-31eccf5a","target":{"file":"libavformat/tests/fifo_muxer.c"},"signature_type":"Line"},{"source":"https://github.com/ffmpeg/ffmpeg/commit/f52fbf4f3ed02a7d872d8a102006f29b4421f360","digest":{"function_hash":"173690714667852622426013926318516017828","length":1168},"signature_version":"v1","deprecated":false,"id":"CVE-2017-9992-60fa412b","target":{"function":"decode_dds1","file":"libavcodec/dfa.c"},"signature_type":"Function"},{"source":"https://github.com/ffmpeg/ffmpeg/commit/f52fbf4f3ed02a7d872d8a102006f29b4421f360","digest":{"threshold":0.9,"line_hashes":["49292181257551172576771973708726667050","51557325619138272839030920394370860057","143321983408069829629295156302111297253","168494076503263253939609218673331973402"]},"signature_version":"v1","deprecated":false,"id":"CVE-2017-9992-a8b5c31e","target":{"file":"libavcodec/dfa.c"},"signature_type":"Line"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}