CVE-2017-14169
- Source
- https://cve.org/CVERecord?id=CVE-2017-14169
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-14169.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2017-14169
- Downstream
- Related
- Published
- 2017-09-07T06:29:00.187Z
- Modified
- 2026-04-02T00:03:36.341309Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the mxfreadprimerpack function in libavformat/mxfdec.c in FFmpeg 3.3.3 -> 2.4, an integer signedness error might occur when a crafted file, which claims a large "itemnum" field such as 0xffffffff, is provided. As a result, the variable "item_num" turns negative, bypassing the check for a large value.
- References
-
- http://www.debian.org/security/2017/dsa-3996
- http://www.securityfocus.com/bid/100692
- https://lists.debian.org/debian-lts-announce/2019/02/msg00005.html
- https://github.com/FFmpeg/FFmpeg/commit/9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad
- https://github.com/FFmpeg/FFmpeg/commit/a4e85b2e1c8d5b4bf0091157bbdeb0e457fb7b8f
Affected packages
Git / github.com/ffmpeg/ffmpeg
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ffmpeg/ffmpeg
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedFixedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "3.3.3" }, { "introduced": "0" }, { "last_affected": "8.0" } ] }
Affected versions
Other
N
ffmpeg-0.*
ffmpeg-0.6.3
n0.*
n0.10
n0.10.1
n0.10.10
n0.10.11
n0.10.12
n0.10.13
n0.10.14
n0.10.15
n0.10.16
n0.10.2
n0.10.3
n0.10.4
n0.10.5
n0.10.6
n0.10.7
n0.10.8
n0.10.9
n0.11
n0.11-dev
n0.11.1
n0.11.2
n0.11.3
n0.11.4
n0.11.5
n0.12-dev
n0.5.10
n0.5.11
n0.5.12
n0.5.13
n0.5.14
n0.5.15
n0.5.5
n0.5.6
n0.5.7
n0.5.8
n0.5.9
n0.6.4
n0.6.5
n0.6.6
n0.6.7
n0.7.1
n0.7.10
n0.7.11
n0.7.12
n0.7.13
n0.7.14
n0.7.15
n0.7.16
n0.7.17
n0.7.2
n0.7.3
n0.7.4
n0.7.5
n0.7.6
n0.7.7
n0.7.8
n0.7.9
n0.8
n0.8.1
n0.8.10
n0.8.11
n0.8.12
n0.8.13
n0.8.14
n0.8.15
n0.8.2
n0.8.3
n0.8.4
n0.8.5
n0.8.6
n0.8.7
n0.8.8
n0.8.9
n0.9
n0.9.1
n0.9.2
n0.9.3
n0.9.4
n1.*
n1.0
n1.0.1
n1.0.10
n1.0.2
n1.0.3
n1.0.4
n1.0.5
n1.0.6
n1.0.7
n1.0.8
n1.0.9
n1.1
n1.1-dev
n1.1.1
n1.1.10
n1.1.11
n1.1.12
n1.1.13
n1.1.14
n1.1.15
n1.1.16
n1.1.2
n1.1.3
n1.1.4
n1.1.5
n1.1.6
n1.1.7
n1.1.8
n1.1.9
n1.2
n1.2-dev
n1.2.1
n1.2.10
n1.2.11
n1.2.12
n1.2.2
n1.2.3
n1.2.4
n1.2.5
n1.2.6
n1.2.7
n1.2.8
n1.2.9
n1.3-dev
n2.*
n2.0
n2.0.1
n2.0.2
n2.0.3
n2.0.4
n2.0.5
n2.0.6
n2.0.7
n2.1
n2.1-dev
n2.1.1
n2.1.2
n2.1.3
n2.1.4
n2.1.5
n2.1.6
n2.1.7
n2.1.8
n2.2
n2.2-dev
n2.2-rc1
n2.2-rc2
n2.2.1
n2.2.10
n2.2.11
n2.2.12
n2.2.13
n2.2.14
n2.2.15
n2.2.16
n2.2.2
n2.2.3
n2.2.4
n2.2.5
n2.2.6
n2.2.7
n2.2.8
n2.2.9
n2.3
n2.3-dev
n2.3.1
n2.3.2
n2.3.3
n2.3.4
n2.3.5
n2.3.6
n2.4
n2.4-dev
n2.4.1
n2.4.10
n2.4.11
n2.4.12
n2.4.13
n2.4.2
n2.4.3
n2.4.4
n2.4.5
n2.4.6
n2.4.7
n2.4.8
n2.4.9
n2.5
n2.5-dev
n2.5.1
n2.5.10
n2.5.11
n2.5.2
n2.5.3
n2.5.4
n2.5.5
n2.5.6
n2.5.7
n2.5.8
n2.5.9
n2.6
n2.6-dev
n2.6.1
n2.6.2
n2.6.3
n2.6.4
n2.6.5
n2.6.6
n2.6.7
n2.6.8
n2.6.9
n2.7
n2.7-dev
n2.7.1
n2.7.2
n2.7.3
n2.7.4
n2.7.5
n2.7.6
n2.7.7
n2.8
n2.8-dev
n2.8.1
n2.8.10
n2.8.11
n2.8.12
n2.8.13
n2.8.14
n2.8.15
n2.8.16
n2.8.17
n2.8.18
n2.8.19
n2.8.2
n2.8.20
n2.8.21
n2.8.22
n2.8.3
n2.8.4
n2.8.5
n2.8.6
n2.8.7
n2.8.8
n2.8.9
n2.9-dev
n3.*
n3.0
n3.0.1
n3.0.10
n3.0.11
n3.0.12
n3.0.2
n3.0.3
n3.0.4
n3.0.5
n3.0.6
n3.0.7
n3.0.8
n3.0.9
n3.1
n3.1-dev
n3.1.1
n3.1.10
n3.1.11
n3.1.2
n3.1.3
n3.1.4
n3.1.5
n3.1.6
n3.1.7
n3.1.8
n3.1.9
n3.2
n3.2-dev
n3.2.1
n3.2.10
n3.2.11
n3.2.12
n3.2.13
n3.2.14
n3.2.15
n3.2.16
n3.2.17
n3.2.18
n3.2.19
n3.2.2
n3.2.3
n3.2.4
n3.2.5
n3.2.6
n3.2.7
n3.2.8
n3.2.9
n3.3
n3.3-dev
n3.3.1
n3.3.2
n3.3.3
n3.4-dev
v0.*
v0.5
v0.5.1
v0.5.2
v0.5.3
v0.6
v0.6.1
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-14169.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
}
]
vanir_signatures
[
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "145681048188837608801980436478399871595",
"length": 638.0
},
"source": "https://github.com/ffmpeg/ffmpeg/commit/a4e85b2e1c8d5b4bf0091157bbdeb0e457fb7b8f",
"id": "CVE-2017-14169-067e37a8",
"target": {
"file": "libavformat/mxfdec.c",
"function": "mxf_read_primer_pack"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "215980360088194757613814720094782596304",
"length": 796.0
},
"source": "https://github.com/ffmpeg/ffmpeg/commit/9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad",
"id": "CVE-2017-14169-9be0640c",
"target": {
"file": "libavformat/mxfdec.c",
"function": "mxf_read_primer_pack"
}
},
{
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"193241184267398173670347337009823642261",
"171630981959435583466780572277167453657",
"327319554379019788563009068008743800395",
"312527470193396409146904769858631136432"
],
"threshold": 0.9
},
"source": "https://github.com/ffmpeg/ffmpeg/commit/a4e85b2e1c8d5b4bf0091157bbdeb0e457fb7b8f",
"id": "CVE-2017-14169-a51d75af",
"target": {
"file": "libavformat/mxfdec.c"
}
},
{
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"193241184267398173670347337009823642261",
"171630981959435583466780572277167453657",
"327319554379019788563009068008743800395",
"312527470193396409146904769858631136432"
],
"threshold": 0.9
},
"source": "https://github.com/ffmpeg/ffmpeg/commit/9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad",
"id": "CVE-2017-14169-e79cf0d7",
"target": {
"file": "libavformat/mxfdec.c"
}
}
]