CVE-2017-14169
HIGHFFmpeg 2.4-3.3.3 - Integer Signedness Error in MXF Primer Pack Parser
Title source: llmDescription
In the mxf_read_primer_pack function in libavformat/mxfdec.c in FFmpeg 3.3.3 -> 2.4, an integer signedness error might occur when a crafted file, which claims a large "item_num" field such as 0xffffffff, is provided. As a result, the variable "item_num" turns negative, bypassing the check for a large value.
References (5)
Core 5
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/FFmpeg/FFmpeg/commit/9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/100692
Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/02/msg00005.html
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2017/dsa-3996
Patch x_refsource_confirm
https://github.com/FFmpeg/FFmpeg/commit/a4e85b2e1c8d5b4bf0091157bbdeb0e457fb7b8f
Scores
CVSS v3
8.8
EPSS
0.0257
EPSS Percentile
83.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-20
Status
published
Products (3)
debian/debian_linux
8.0
debian/debian_linux
9.0
ffmpeg/ffmpeg
3.3.3
Published
Sep 07, 2017
Tracked Since
Feb 18, 2026