{"id":"CVE-2019-11339","details":"The studio profile decoder in libavcodec/mpeg4videodec.c in FFmpeg 4.0 before 4.0.4 and 4.1 before 4.1.2 allows remote attackers to cause a denial of service (out-of-array access) or possibly have unspecified other impact via crafted MPEG-4 video data.","modified":"2026-04-11T08:05:29.143218Z","published":"2019-04-19T00:29:00.293Z","related":["openSUSE-SU-2020:0024-1"],"references":[{"type":"WEB","url":"https://usn.ubuntu.com/3967-1/"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00012.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/108037"},{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/1f686d023b95219db933394a7704ad9aa5f01cbb"},{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/d227ed5d598340e719eff7156b1aa0a4469e9a6a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ffmpeg/ffmpeg","events":[{"introduced":"ace829cb45cff530b8a0aed6adf18f329d7a98f6"},{"fixed":"ee66e04bc9dbbcf95114a103f174ed54b2260758"},{"introduced":"3c1ecb057d7621e57968624aa15ad3e9efc819f7"},{"fixed":"a7cb7a2e4314956e06a351333ff8096fab9afa7f"},{"fixed":"1f686d023b95219db933394a7704ad9aa5f01cbb"},{"fixed":"d227ed5d598340e719eff7156b1aa0a4469e9a6a"}],"database_specific":{"versions":[{"introduced":"4.0"},{"fixed":"4.0.4"},{"introduced":"4.1"},{"fixed":"4.1.2"}]}}],"versions":["n4.0","n4.0.1","n4.0.2","n4.0.3","n4.1","n4.1-dev","n4.1.1","n4.2-dev"],"database_specific":{"vanir_signatures":[{"id":"CVE-2019-11339-46c7335d","digest":{"function_hash":"41296419305316088242037833099035261065","length":3002},"source":"https://github.com/ffmpeg/ffmpeg/commit/d227ed5d598340e719eff7156b1aa0a4469e9a6a","signature_type":"Function","deprecated":false,"target":{"function":"mpeg4_decode_studio_block","file":"libavcodec/mpeg4videodec.c"},"signature_version":"v1"},{"id":"CVE-2019-11339-6ce8539f","digest":{"threshold":0.9,"line_hashes":["196590687099187513051223795847589783435","312991416146212581129518582977202676759","201856063348134663383340940408327447423","164435469687328264150812677268537811351","150209137443118074655683873635357904176","66436617515311640562812047729254084355","48058076172097344956900250046099921496","151331248721785865971496334836964937327","80695285972875537713694838148526906706","24921378405940910674322116230453522255"]},"source":"https://github.com/ffmpeg/ffmpeg/commit/d227ed5d598340e719eff7156b1aa0a4469e9a6a","signature_type":"Line","deprecated":false,"target":{"file":"libavcodec/mpeg4videodec.c"},"signature_version":"v1"},{"id":"CVE-2019-11339-aa5b60c2","digest":{"threshold":0.9,"line_hashes":["294836802028254104437015519727142575903","329944762376806700361291339240494798822","320298714614336043866888945378643631563","59044922675942639841070301700479117755"]},"source":"https://github.com/ffmpeg/ffmpeg/commit/1f686d023b95219db933394a7704ad9aa5f01cbb","signature_type":"Line","deprecated":false,"target":{"file":"libavcodec/mpeg4videodec.c"},"signature_version":"v1"},{"id":"CVE-2019-11339-b21214eb","digest":{"function_hash":"312495717718519555182595270957768899859","length":1782},"source":"https://github.com/ffmpeg/ffmpeg/commit/1f686d023b95219db933394a7704ad9aa5f01cbb","signature_type":"Function","deprecated":false,"target":{"function":"decode_studio_vop_header","file":"libavcodec/mpeg4videodec.c"},"signature_version":"v1"}],"vanir_signatures_modified":"2026-04-11T08:05:29Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11339.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}