VDB

ALPINE-CVE-2017-14169

ALPINE-CVE-2017-14169 PUBLISHED CVSS 8.800000190734863 HIGH

In the mxf_read_primer_pack function in libavformat/mxfdec.c in FFmpeg 3.3.3 -> 2.4, an integer signedness error might occur when a crafted file, which claims a large "item_num" field such as 0xffffffff, is provided. As a result, the variable "item_num" turns negative, bypassing the check for a large value.

Risk Scores

CVSS v3.0
8.800000190734863
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
Alpine:v3.7ffmpeg3.2.4-r0, 0.11.1-r1, 0.11.1-r0
Alpine:v3.4ffmpeg0.11.2-r1, 0.5-r0, 0.6-r1
Alpine:v3.6ffmpeg1.2.4-r0, 0, 0.10-r1
Alpine:v3.5ffmpeg0, 3.1.7-r0, 3.1.6-r0

Timeline

  • Sep 7, 2017 CVE Published
  • Nov 19, 2025 CVE Updated
  • Apr 30, 2026 Distribution Patch

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›