Bugzilla – Bug 1223087
VUL-0: CVE-2024-31585: ffmpeg,ffmpeg-4: off-by-one error in libavfilter/avf_showspectrum.c.
Last modified: 2024-05-06 07:48:45 UTC
FFmpeg version n5.1 to n6.1 was discovered to contain an Off-by-one Error vulnerability in libavfilter/avf_showspectrum.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-31585 https://www.cve.org/CVERecord?id=CVE-2024-31585 https://gist.github.com/1047524396/dc2c64ffe0c3934a6176bcd2c5cf5656 https://github.com/FFmpeg/FFmpeg/commit/81df787b53eb5c6433731f6eaaf7f2a94d8a8c80 https://github.com/ffmpeg/ffmpeg/commit/ab0fdaedd1e7224f7e84ea22fcbfaa4ca75a6c06
As per the fix commit description (see [0]), this issue was introduced by commit 81df787 [1], or, in other words, it was introduced in FFmpeg version 5.1. This means that affected versions are only 5.1 and later. [0] https://github.com/ffmpeg/ffmpeg/commit/ab0fdaed [1] https://github.com/FFmpeg/FFmpeg/commit/81df787b
In openSUSE:Factory, the following packages are affected: - openSUSE:Factory/ffmpeg-5 openSUSE:Factory/ffmpeg-6 is not affected, as the fix is already present in the code.
@jengelh: Don't change the bug assignee, I'm already working on this bug.
This is an autogenerated message for OBS integration: This bug (1223087) was mentioned in https://build.opensuse.org/request/show/1169719 Factory / ffmpeg-5