{"id":"CVE-2019-17542","details":"FFmpeg before 4.2 has a heap-based buffer overflow in vqa_decode_chunk because of an out-of-array access in vqa_decode_init in libavcodec/vqavideo.c.","modified":"2026-04-16T04:32:43.777084245Z","published":"2019-10-14T02:15:10.780Z","related":["SUSE-SU-2019:3184-1","SUSE-SU-2019:3184-2"],"references":[{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202003-65"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4431-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4722"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/12/msg00003.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00022.html"},{"type":"REPORT","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15919"},{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/02f909dc24b1f05cfbba75077c7707b905e63cd2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ffmpeg/ffmpeg","events":[{"introduced":"0"},{"fixed":"f93e026b642431e796775345df2483ae283283f2"},{"introduced":"340cea9f22c162e10d120835661e132721b7454b"},{"fixed":"37a8ad9a3167923d500910031a8086489c004d83"},{"introduced":"22b0daa1b3f0ac5d91cc1a057d230995590847cd"},{"fixed":"289a79d545e83a97f5cdd00b28ce70638dae53e8"},{"introduced":"ace829cb45cff530b8a0aed6adf18f329d7a98f6"},{"fixed":"26e1d0d015bb11ab0383729c52cfca4fd9cf4e79"},{"introduced":"3c1ecb057d7621e57968624aa15ad3e9efc819f7"},{"fixed":"4521700f295f35da4768f88b570e0836a858ce7b"},{"introduced":"0"},{"last_affected":"140fd653aed8cad774f991ba083e2d01e86420c7"},{"fixed":"02f909dc24b1f05cfbba75077c7707b905e63cd2"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.8.16"},{"introduced":"3.2"},{"fixed":"3.2.15"},{"introduced":"3.4"},{"fixed":"3.4.7"},{"introduced":"4.0"},{"fixed":"4.0.5"},{"introduced":"4.1"},{"fixed":"4.1.5"},{"introduced":"0"},{"last_affected":"8.0"}]}}],"versions":["N","n0.11-dev","n0.12-dev","n0.8","n1.1-dev","n1.2-dev","n1.3-dev","n2.0","n2.1-dev","n2.2-dev","n2.3-dev","n2.4-dev","n2.5-dev","n2.6-dev","n2.7-dev","n2.8","n2.8-dev","n2.8.1","n2.8.10","n2.8.11","n2.8.12","n2.8.13","n2.8.14","n2.8.15","n2.8.2","n2.8.3","n2.8.4","n2.8.5","n2.8.6","n2.8.7","n2.8.8","n2.8.9","n3.2","n3.2-dev","n3.2.1","n3.2.10","n3.2.11","n3.2.12","n3.2.13","n3.2.14","n3.2.2","n3.2.3","n3.2.4","n3.2.5","n3.2.6","n3.2.7","n3.2.8","n3.2.9","n3.4","n3.4-dev","n3.4.1","n3.4.2","n3.4.3","n3.4.4","n3.4.5","n3.4.6","n4.0","n4.0.1","n4.0.2","n4.0.3","n4.0.4","n4.1","n4.1-dev","n4.1.1","n4.1.2","n4.1.3","n4.1.4","n4.2-dev","n4.3-dev","n4.4-dev","n4.5-dev","n5.1-dev","n5.2-dev","n6.1-dev","n6.2-dev","n7.1-dev","n7.2-dev","n8.0"],"database_specific":{"vanir_signatures":[{"deprecated":false,"signature_version":"v1","target":{"file":"libavcodec/vqavideo.c"},"id":"CVE-2019-17542-0ca3929d","signature_type":"Line","digest":{"line_hashes":["310263782351760870571504456429108356263","178012746726377242619005885358425076037","334687871437098306138972385748784743069","208546921554735824349792311272121148696"],"threshold":0.9},"source":"https://github.com/ffmpeg/ffmpeg/commit/02f909dc24b1f05cfbba75077c7707b905e63cd2"},{"deprecated":false,"target":{"file":"libavcodec/vqavideo.c","function":"vqa_decode_init"},"signature_version":"v1","id":"CVE-2019-17542-27cd11de","digest":{"function_hash":"104503227865601440695101769280727086051","length":2434},"signature_type":"Function","source":"https://github.com/ffmpeg/ffmpeg/commit/02f909dc24b1f05cfbba75077c7707b905e63cd2"},{"signature_type":"Function","target":{"file":"libavformat/hlsenc.c","function":"hls_write_trailer"},"signature_version":"v1","id":"CVE-2019-17542-89be5de9","digest":{"function_hash":"319021067119698628255415066517927384702","length":3260},"deprecated":false,"source":"https://github.com/ffmpeg/ffmpeg/commit/4521700f295f35da4768f88b570e0836a858ce7b"},{"deprecated":false,"target":{"file":"libavformat/hlsenc.c"},"signature_version":"v1","id":"CVE-2019-17542-def83151","signature_type":"Line","digest":{"line_hashes":["111757355275855299767214097555503833425","332776709410158749058424084520384076278","126244308190247979754930455471757737376","94499542832375321740817633492542024465","130172128018366235132297832589555939800","55536100370799741404976270153852322799","178437194551693198799431818210633522790","212929257175167450126831190360563960264","62370169604886578115909868256949237475","129049294233240527051413687895358407876","286287738882113096420417966736547438098","243635147339143298832966112516759698288","272776886790752221810033028800273149150","9747124137513848496923527654951202606","301927968725738236165575381671008622991","192183203489963350993466951267713113650","122011600157872378775713225314617790943","25213801080174912976460312183375057971","74233774275043259138930394312098586340","241426111203459057517320451984683680334","255987871053178237141709543074309270079","273577814075419466154781616910945826301"],"threshold":0.9},"source":"https://github.com/ffmpeg/ffmpeg/commit/4521700f295f35da4768f88b570e0836a858ce7b"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"20.04"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}],"vanir_signatures_modified":"2026-04-11T12:42:18Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-17542.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}