CVE-2017-10699

Priority
Description
avcodec 2.2.x, as used in VideoLAN VLC media player 2.2.7-x before
2017-06-29, allows out-of-bounds heap memory write due to calling memcpy()
with a wrong size, leading to a denial of service (application crash) or
possibly code execution.
Ubuntu-Description
It was discovered that VLC mishandled certain crafted media files. An attacker
could use this vulnerability to cause a denial of service (crash) or possibly
execute arbitrary code.
Assigned-to
mikesalvatore
Notes
ratliffnotes from the upstream:
"The avcodec library does not gives bogus video sizes on 3.0, so the
issue only exists on the 2.2.x branch. Fixes have been pushed on the
2.2.x branch and guards added as well on both versions."
Package
Source: vlc (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needed)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.2.2-5ubuntu0.16.04.3)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (2.2.6-2ubuntu1)
More Information

Updated: 2020-09-10 05:35:20 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)