Bugzilla – Bug 998459
VUL-0: CVE-2016-7393: libav: out-of-bounds stack read
Last modified: 2020-04-30 15:08:51 UTC
CVE-2016-7393 A crafted file causes a stack-based buffer overflow. The ASan report may be confused because it mentions get_bits, but the issue is in aac_sync. This issue was discovered the past year, I reported it to Luca Barbato privately and I didn’t follow the state. Before I made the report, the bug was noticed by Janne Grunau because the fate test reported a failure, then he fixed it, but at that time there wasn’t stable release(s) that included the fix. This bug was found with American Fuzzy Lop. This bug does not affect ffmpeg. A same fix, was applied to another part of (similar) code in the ac3_parser.c file. References: https://git.libav.org/?p=libav.git;a=commit;h=fb1473080223a634b8ac2cca48a632d037a0a69d https://blogs.gentoo.org/ago/2016/08/20/libav-stack-based-buffer-overflow-in-aac_sync-aac_parser-c/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7393 http://seclists.org/oss-sec/2016/q3/477
bugbot adjusting priority
Fixed in Leap 15.1 closing