{"id":"CVE-2020-35964","details":"track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out-of-bounds write because of incorrect extradata packing.","modified":"2026-04-11T13:53:11.333021Z","published":"2021-01-03T19:15:11.720Z","related":["openSUSE-SU-2024:10754-1"],"references":[{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202105-24"},{"type":"REPORT","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26622"},{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/27a99e2c7d450fef15594671eef4465c8a166bd7"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ffmpeg/ffmpeg","events":[{"introduced":"0"},{"last_affected":"6b6b9e593dd4d3aaf75f48d40a13ef03bdef9fdb"},{"fixed":"27a99e2c7d450fef15594671eef4465c8a166bd7"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.3.1"}]}}],"versions":["N","n0.11-dev","n0.12-dev","n0.8","n1.1-dev","n1.2-dev","n1.3-dev","n2.0","n2.1-dev","n2.2-dev","n2.3-dev","n2.4-dev","n2.5-dev","n2.6-dev","n2.7-dev","n2.8-dev","n2.9-dev","n3.1-dev","n3.2-dev","n3.3-dev","n3.4-dev","n3.5-dev","n4.1-dev","n4.2-dev","n4.3","n4.3-dev","n4.3.1","n4.4-dev"],"database_specific":{"vanir_signatures_modified":"2026-04-11T13:53:11Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-35964.json","vanir_signatures":[{"deprecated":false,"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"10276585309990227696075281458891561069","length":3384},"source":"https://github.com/ffmpeg/ffmpeg/commit/27a99e2c7d450fef15594671eef4465c8a166bd7","target":{"file":"libavformat/vividas.c","function":"track_header"},"id":"CVE-2020-35964-0f156ff9"},{"deprecated":false,"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["525220999456771788212427340728994532","317307677012499269104552687143356229094","176363839622445295858762660691841516745","43016194688168285533120225362894370751","286042928014928739281680011525269130541","11992140142306964629683768603922020439","200843498105875523833003801902439723737","39197240954016635089876379214511819819","281417731946186976767554153478378754190","203532130500819324495404539649090814028","304080042666092356809505296181497057150","226802671110702742982797614535487385524","73082539325848717179228355520517924855","79775762244740831969228940730835702535","143250374037328722978253924629184378451","176687105145931248001790678730593095432","114681025252844250937220800945534023486","37486818162621233002606144904404698805","166262640446944194489426637763137381045","319702081660647726261688445969219196991","215814048822915231723972422777677205668"],"threshold":0.9},"source":"https://github.com/ffmpeg/ffmpeg/commit/27a99e2c7d450fef15594671eef4465c8a166bd7","target":{"file":"libavformat/vividas.c"},"id":"CVE-2020-35964-ee6b3729"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}