CVE-2017-9990
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2017-9990
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9990.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2017-9990
- Published
- 2017-06-28T06:29:00Z
- Modified
- 2025-10-14T16:18:01.452853Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Stack-based buffer overflow in the colorstringto_rgba function in libavcodec/xpmdec.c in FFmpeg 3.3 before 3.3.1 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file.
- References
Affected packages
Git / git.ffmpeg.org/ffmpeg.git
Affected ranges
- Type
- GIT
- Repo
- https://git.ffmpeg.org/ffmpeg.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affected
- Type
- GIT
- Repo
- https://github.com/ffmpeg/ffmpeg
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
N
n0.*
n0.11-dev
n0.12-dev
n0.8
n1.*
n1.1-dev
n1.2-dev
n1.3-dev
n2.*
n2.0
n2.1-dev
n2.2-dev
n2.3-dev
n2.4-dev
n2.5-dev
n2.6-dev
n2.7-dev
n2.8-dev
n2.9-dev
n3.*
n3.1-dev
n3.2-dev
n3.3-dev
n3.4-dev
Database specific
{
"vanir_signatures": [
{
"digest": {
"line_hashes": [
"63599749157636653845517448070054954079",
"65156516593260766561620374864103888082",
"335164718546423726174702895340662375802",
"183247368258288497579200601411925692703",
"62311355670432814871516321446178245244",
"31530832913622825716739144532960523114",
"105442695112224181449395028017519462934",
"85950149766818708808628690350829145243",
"260397977875054609066111641371343611724",
"78716071934112126707044916284894950873",
"138459945368558368225212138962524923506",
"248308347011489445147449693431903040959",
"142225620732406003824290260856244700552",
"188460598064415374305360642010901280471",
"97996008329020950652193527696196863343",
"2231622449625253579371126192548446919",
"12925345263743318778010887630736912594",
"200336718525528214048050427579802236315",
"105019456377802723424103556901043366635",
"199838161137426468685004035393755490593",
"72421583393763552006013243239011390784",
"318409721970682603793550411297192981828",
"71731197442197060714772462464133345366",
"138016975465716181301657658264592596735",
"339596991661191878958482495727523841730",
"145864199852780041829871188193501052647",
"291908036314379562044120359467649164488",
"47576280686261542084337531131607124871",
"279256354483998390219034707868191602145",
"60266614375859469227532310685477156355",
"323506001038971285989442446612572581318",
"48572001263821668593232709944430997542",
"288089685357001898884611972343122708753",
"54015529940763045433169911985783849053",
"46392199623422392991051924796700452846",
"189203597634726858638525552833325781720",
"3434287379989291287652226206227199484",
"200286002822345646212190050673797725013",
"257102937120690187167506752994771354844",
"122660387739318535785282199147542574314",
"263021522728277908647022740206966430883",
"176505932566972297359997964592319561786",
"103176697026674836103559628298267298603",
"242839479206994935445073191863668306520",
"163102384212397990258753254534328015979"
],
"threshold": 0.9
},
"target": {
"file": "libavcodec/xpmdec.c"
},
"signature_type": "Line",
"source": "https://github.com/ffmpeg/ffmpeg/commit/cb243972b121b1ae6b60a78ff55a0506c69f3879",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2017-9990-13e1b464"
},
{
"digest": {
"length": 1299.0,
"function_hash": "306163589064803581275795265117018843344"
},
"target": {
"function": "color_string_to_rgba",
"file": "libavcodec/xpmdec.c"
},
"signature_type": "Function",
"source": "https://github.com/ffmpeg/ffmpeg/commit/cb243972b121b1ae6b60a78ff55a0506c69f3879",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2017-9990-220540a9"
},
{
"digest": {
"length": 120.0,
"function_hash": "80469976479162606051254647122926621788"
},
"target": {
"function": "xpm_decode_close",
"file": "libavcodec/xpmdec.c"
},
"signature_type": "Function",
"source": "https://github.com/ffmpeg/ffmpeg/commit/cb243972b121b1ae6b60a78ff55a0506c69f3879",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2017-9990-9bbbbc08"
},
{
"digest": {
"length": 2381.0,
"function_hash": "73035522207412136017241348420352390378"
},
"target": {
"function": "xpm_decode_frame",
"file": "libavcodec/xpmdec.c"
},
"signature_type": "Function",
"source": "https://github.com/ffmpeg/ffmpeg/commit/cb243972b121b1ae6b60a78ff55a0506c69f3879",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2017-9990-b59f620e"
}
]
}