{"id":"CVE-2017-9994","details":"libavcodec/webp.c in FFmpeg before 2.8.12, 3.0.x before 3.0.8, 3.1.x before 3.1.8, 3.2.x before 3.2.5, and 3.3.x before 3.3.1 does not ensure that pix_fmt is set, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file, related to the vp8_decode_mb_row_no_filter and pred8x8_128_dc_8_c functions.","modified":"2026-04-16T06:22:28.870424712Z","published":"2017-06-28T06:29:00.550Z","references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/99317"},{"type":"REPORT","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1434"},{"type":"REPORT","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1435"},{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ffmpeg/ffmpeg","events":[{"introduced":"0"},{"fixed":"ffab459e4e491384756cf8bae0f3922c5e4f6271"},{"introduced":"c40983a6f631d22fede713d535bb9c31d5c9740c"},{"fixed":"b33d01d8a253028083df250b5d4a2e43e5560c64"},{"introduced":"fbc96c50d72f55131e43939e38c1e5af4315a755"},{"fixed":"9b9a620ce6983ea56a0b94501e4661d2ccf916d8"},{"introduced":"340cea9f22c162e10d120835661e132721b7454b"},{"fixed":"5d737a3d0ca2bf0f0c6170096d9d1ca230cf9ee0"},{"introduced":"efa89a841941bf61d1a3eb5c2900f98e3e7db85b"},{"fixed":"c1c50650df6cef69c392ad0d544c30e571e24214"},{"introduced":"0"},{"last_affected":"140fd653aed8cad774f991ba083e2d01e86420c7"},{"fixed":"6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.8.12"},{"introduced":"3.0"},{"fixed":"3.0.8"},{"introduced":"3.1"},{"fixed":"3.1.8"},{"introduced":"3.2"},{"fixed":"3.2.5"},{"introduced":"3.3"},{"fixed":"3.3.1"},{"introduced":"0"},{"last_affected":"8.0"}]}}],"versions":["N","n0.11-dev","n0.12-dev","n0.8","n1.1-dev","n1.2-dev","n1.3-dev","n2.0","n2.1-dev","n2.2-dev","n2.3-dev","n2.4-dev","n2.5-dev","n2.6-dev","n2.7-dev","n2.8","n2.8-dev","n2.8.1","n2.8.10","n2.8.11","n2.8.2","n2.8.3","n2.8.4","n2.8.5","n2.8.6","n2.8.7","n2.8.8","n2.8.9","n3.0","n3.0.1","n3.0.2","n3.0.3","n3.0.4","n3.0.5","n3.0.6","n3.0.7","n3.1","n3.1-dev","n3.1.1","n3.1.2","n3.1.3","n3.1.4","n3.1.5","n3.1.6","n3.1.7","n3.2","n3.2-dev","n3.2.1","n3.2.2","n3.2.3","n3.2.4","n3.3","n3.3-dev","n3.4-dev","n3.5-dev","n4.1-dev","n4.2-dev","n4.3-dev","n4.4-dev","n4.5-dev","n5.1-dev","n5.2-dev","n6.1-dev","n6.2-dev","n7.1-dev","n7.2-dev","n8.0"],"database_specific":{"vanir_signatures":[{"id":"CVE-2017-9994-073ac825","signature_type":"Function","deprecated":false,"source":"https://github.com/ffmpeg/ffmpeg/commit/6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef","digest":{"function_hash":"63037889122877983806885686506885793535","length":807},"target":{"function":"vp8_lossy_decode_frame","file":"libavcodec/webp.c"},"signature_version":"v1"},{"id":"CVE-2017-9994-0803633b","signature_type":"Function","deprecated":false,"source":"https://github.com/ffmpeg/ffmpeg/commit/6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef","digest":{"function_hash":"12811538007009368521768820160525171352","length":4741},"target":{"function":"vp78_decode_frame","file":"libavcodec/vp8.c"},"signature_version":"v1"},{"id":"CVE-2017-9994-2789a265","signature_type":"Line","deprecated":false,"source":"https://github.com/ffmpeg/ffmpeg/commit/6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef","digest":{"threshold":0.9,"line_hashes":["59530602348887585127343468186882345762","212201494289102489329007751342773101572","17531334238279980247689878590253058405"]},"target":{"file":"libavcodec/vp8.c"},"signature_version":"v1"},{"id":"CVE-2017-9994-31eccf5a","signature_type":"Line","deprecated":false,"source":"https://github.com/ffmpeg/ffmpeg/commit/5d737a3d0ca2bf0f0c6170096d9d1ca230cf9ee0","digest":{"threshold":0.9,"line_hashes":["171761850885783161694918931923155613653","287454683090357633262522277026531572655","283892481322314227092797983348005820398","220739420317396261739711762453104130432"]},"target":{"file":"libavformat/tests/fifo_muxer.c"},"signature_version":"v1"},{"id":"CVE-2017-9994-3d89ee6c","signature_version":"v1","deprecated":false,"source":"https://github.com/ffmpeg/ffmpeg/commit/6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef","digest":{"threshold":0.9,"line_hashes":["276775926823435890395552855712813588257","329621359807923611954894778885133601440","31770340694690976363564959590920458536","140287423863305662298629688925795152162","201153677553983936514563381634874476530","84348492142917805256586395988190157211"]},"target":{"file":"libavcodec/webp.c"},"signature_type":"Line"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9994.json","vanir_signatures_modified":"2026-04-11T03:11:46Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}