CVE-2018-13301
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2018-13301
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-13301.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2018-13301
- Downstream
- Related
- Published
- 2018-07-05T17:29:00Z
- Modified
- 2025-10-22T19:02:23.489191Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In FFmpeg 4.0.1, due to a missing check of a profile value before setting it, the ffmpeg4decodepictureheader function in libavcodec/mpeg4videodec.c may trigger a NULL pointer dereference while converting a crafted AVI file to MPEG4, leading to a denial of service.
- References
Affected packages
Git / git.ffmpeg.org/ffmpeg.git
Git / git.ffmpeg.org/ffmpeg.git
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ffmpeg/ffmpeg
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
N
n0.*
n0.11-dev
n0.12-dev
n0.8
n1.*
n1.1-dev
n1.2-dev
n1.3-dev
n2.*
n2.0
n2.1-dev
n2.2-dev
n2.3-dev
n2.4-dev
n2.5-dev
n2.6-dev
n2.7-dev
n2.8-dev
n2.9-dev
n3.*
n3.1-dev
n3.2-dev
n3.3-dev
n3.4-dev
n3.5-dev
n4.*
n4.1-dev
Database specific
vanir_signatures
[
{
"source": "https://github.com/ffmpeg/ffmpeg/commit/2aa9047486dbff12d9e040f917e5f799ed2fd78b",
"target": {
"function": "ff_mpeg4_decode_picture_header",
"file": "libavcodec/mpeg4videodec.c"
},
"id": "CVE-2018-13301-1e0bbfee",
"deprecated": false,
"digest": {
"function_hash": "68964249118775948532251749281526738610",
"length": 4839.0
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"source": "https://github.com/ffmpeg/ffmpeg/commit/2aa9047486dbff12d9e040f917e5f799ed2fd78b",
"target": {
"file": "libavcodec/mpeg4videodec.c"
},
"id": "CVE-2018-13301-9e4963d5",
"deprecated": false,
"digest": {
"line_hashes": [
"233299622311307785533508059681355998726",
"207241619994396014396558140523367239608",
"177435057124521766130865242719557301830",
"339127581168994191785220148555854764575",
"229408726659063287550116270476114514763",
"320253798208562027100910864703519299677",
"88108679225706113055928323335199453587",
"72868725193473715878547893389605945802",
"317379096000998379459118783259844145148",
"35179002168177949934239002314297127186",
"237666933241123373415431091878067085266",
"58520960334587029648049796218830436826",
"205988179228698167535919190029537414936",
"41412947436669317219508560263566516481",
"294639878760812995551560723967848898108",
"337561212011190879782893813999107266606",
"166539988119978690211630587722194839671",
"252940690963599090017371843428856661174",
"76021399495569760132443506007294444199",
"275210860503489031422508135210918469632",
"82227797915621386760704386022852934952",
"302877332129873584243634203918951947571",
"271904439334739552926260759328569695799"
],
"threshold": 0.9
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"source": "https://github.com/ffmpeg/ffmpeg/commit/2aa9047486dbff12d9e040f917e5f799ed2fd78b",
"target": {
"function": "mpeg4_decode_profile_level",
"file": "libavcodec/mpeg4videodec.c"
},
"id": "CVE-2018-13301-ec5d99aa",
"deprecated": false,
"digest": {
"function_hash": "229922383581172170650712037378511838544",
"length": 278.0
},
"signature_type": "Function",
"signature_version": "v1"
}
]