In Libav through 11.11 and 12.x through 12.1, the smackerdecodetree function in libavcodec/smacker.c does not properly restrict tree recursion, which allows remote attackers to cause a denial of service (bitstream.c:build_table() out-of-bounds read and application crash) via a crafted Smacker stream.
{
"cpe": [
"cpe:2.3:a:libav:libav:*:*:*:*:*:*:*:*",
"cpe:2.3:a:libav:libav:12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:libav:libav:12.1:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "11.11"
},
{
"introduced": "12.0"
},
{
"last_affected": "12.0"
},
{
"introduced": "12.1"
},
{
"last_affected": "12.1"
}
],
"source": [
"CPE_RANGE",
"CPE_STRING",
"REFERENCES"
]
}