FFmpeg Security

Please report vulnerabilities to ffmpeg-security@ffmpeg.org

FFmpeg 2.1

2.1

Fixes following vulnerabilities:

commit 29ffeef5e73b8f41ff3a3f2242d356759c66f91f
commit 3819db745da2ac7fb3faacb116788c32f4753f34
commit 454a11a1c9c686c78aa97954306fb63453299760
commit 547d690d676064069d44703a1917e0dab7e33445
commit 780669ef7c23c00836a24921fcc6b03be2b8ca4a
commit 821a5938d100458f4d09d634041b05c860554ce0
commit 86736f59d6a527d8bc807d09b93f971c0fe0bb07
commit 880c73cd76109697447fbfbaa8e5ee5683309446
commit 8bb11c3ca77b52e05a9ed1496a65f8a76e6e2d8f
commit 912ce9dd2080c5837285a471d750fa311e09b555
commit 9a271a9368eaabf99e6c2046103acb33957e63b7
commit a1b9004b768bef606ee98d417bceb9392ceb788d
commit b05cd1ea7e45a836f7f6071a716c38bb30326e0f
commit cdd5df8189ff1537f7abe8defe971f80602cc2d2
commit e07ac727c1cc9eed39e7f9117c97006f719864bd
commit f31011e9abfb2ae75bb32bc44e2c34194c8dc40a
commit fe448cd28d674c3eff3072552eae366d0b659ce9

FFmpeg 2.0

2.0.1

Fixes following vulnerabilities:

CVE-2013-4263, 1bf2461765c58aad5829ea45a2885d11f50b73f0 / e43a0a232dbf6d3c161823c2e07c52e76227a1bc
CVE-2013-4264, acf511de34e0b79fff0183e06ed37f1aa8dc3d94 / 2960576378d17d71cc8dccc926352ce568b5eec1
CVE-2013-4265, 211374e52a933a2b3f21a4d6e66e9f1b0623e44e / c94f9e854228e0ea00e1de8769d8d3f7cab84a55

2.0

Fixes following vulnerabilities:

CVE-2013-3670, c1f2c4c3b49277d65b71ccdd3b6b2878f1b593eb
CVE-2013-3671, 7edb984dd051b6919d7d8471c70499273f31b0fa
CVE-2013-3672, 8d3c99e825317b7efda5fd12e69896b47c700303
CVE-2013-3673, d23b8462b5a4a9da78ed45c4a7a3b35d538df909
CVE-2013-3674, ad002e1a13a8df934bd6cb2c84175a4780ab8942
CVE-2013-3675, 9dd04f6d8cdd1c10c28b2cb4252c1a41df581915

FFmpeg 1.2

1.2.1

Fixes following vulnerabilities:

CVE-2013-3670, 0baa0a5a02e16ef097ed9f72bc8a7d7b585c7652 / c1f2c4c3b49277d65b71ccdd3b6b2878f1b593eb
CVE-2013-3671, cc0dd86580b3257f22a4981a79eb5fa6804182b6 / 7edb984dd051b6919d7d8471c70499273f31b0fa
CVE-2013-3672, 7fa6db2545643efb4fe2e0bb501fa50af35a6330 / 8d3c99e825317b7efda5fd12e69896b47c700303
CVE-2013-3673, 7ee5e97c46e30fb3d6f9f78cc3313dbc06528b37 / d23b8462b5a4a9da78ed45c4a7a3b35d538df909
CVE-2013-3674, 7ef2dbd2392e3e4d430e0173e1e5c4df9f18b6dd / ad002e1a13a8df934bd6cb2c84175a4780ab8942
CVE-2013-3675, 524d0d2cfc7bab1b348f85e7c0369859e63781cf / 9dd04f6d8cdd1c10c28b2cb4252c1a41df581915

1.2

Fixes following vulnerabilities:

CVE-2013-2495, 3dbc0ff9c3e6f6e0d08ea3d42cb33761bae084ba
CVE-2013-2496, e398990eb87785e20e065cd3f14d1dbb69df4392
CVE-2013-0870, 14c8ee00ffd9d45e6e0c6f11a957ce7e56f7eb3a

FFmpeg 1.1

1.1.4

Fixes following vulnerabilities:

CVE-2013-2495, f719e6566c08dc1e18cf1caf07ba8c0e93cd7283 / 3dbc0ff9c3e6f6e0d08ea3d42cb33761bae084ba
CVE-2013-2496, e398990eb87785e20e065cd3f14d1dbb69df4392 / b9a1efa6f4d4cda20ce796614ff5b0c523df5672

1.1.3

Fixes following vulnerabilities:

CVE-2013-2277, 02d1efdd5b61cefb96562ff9b94c03486a8ead15 / bdeb61ccc67911cfc5e20c7cfb1312d0501ca90a
CVE-2013-2276, 469cb61193861baf46cce76f98985b026b08cd8d / 8a6449167a6da8cb747cfe3502ae86ffaac2ed48
CVE-2013-0872, 7c40a0449b4771a0a09c3c38e081d3869d1f917b / 21cd905cd44a4bbafe8631bbaa6021d328413ce5
CVE-2013-0873, 811a504c6bc2586a8ea5d52fbcfee94277123eb5 / 4f1279154ee9baf2078241bf5619774970d18b25
CVE-2013-0874, 75211f2b8cfb8b4a3f47c514e55585651eeb2767 / e1219cdaf9fb4bc8cea410e1caf802373c1bfe51
CVE-2013-0875, f6687bbb6464532f14b3246cdb7b03f6d04b25cb / 1ac0fa50eff30d413206cffa5f47f7fe6d4849b1
CVE-2013-0876, 1400f1a1e46d72dc38d4cee66f611d91c3a1f49b / 5260edee7e5bd975837696c8c8c1a80eb2fbd7c1
CVE-2013-0877, 1ea5bbc5940d2ea5ec1eea83cccef331d737f5f6 / 365270aec5c2b9284230abc702b11168818f14cf
CVE-2013-0878, f5955d9f6f9ffdb81864c3de1c7b801782a55725 / 796012af6c780b5b13ebca39a491f215515a18fe

1.1.2

Fixes following vulnerabilities:

CVE-2013-0862, f4fb841ad13bab66d4fb0c7ff2a94770df7815d8 / 49b729d3af8464de431362e6c5b3027102bc2f88
CVE-2013-0863, 62c9beda0c189db5cb61fa772057e3af9521f293 / 7357ca900efcf829de4cce4cec6ddc286526d417
CVE-2013-0864, 9547034f9120187e23ad76424dd4d70247e62212 / c10350358da58600884292c08a8690289b81de29
CVE-2013-0865, f3d16706060ab6ae6dc78f15359fab3fd87c9495 / ab6c9332bfa1e20127a16392a0b85a4aa4840889
CVE-2013-0866, 47e462eecc0a47ad40f59376199f93f227e21d13 / 96f452ac647dae33c53c242ef3266b65a9beafb6
CVE-2013-0867, 3ef1538121fa6daeb1767510f1d4ae2c306c9fec / 11c99c78bafa77f679a1a3ba06ad00984b9a4cae
CVE-2013-0868, 6baa54924980e1f0e8121e4715d16ed1adcd2a23 / f67a0d115254461649470452058fa3c28c0df294
               75e88db33013eaa7ab74457f5556df677b4ffb42 / 0dfc01c2bbf4b71bb56201bc4a393321e15d1b31
CVE-2013-0869, eaa9d2cd6b8c1e2722d5bfc56ea67fde865200ce / 695af8eed642ff0104834495652d1ee784a4c14d

1.1.1

Fixes following vulnerabilities:

CVE-2013-0860, 68a0477bc0af026db971ddba22541029a9e8715b / 23318a57358358e7a4dc551e830e4503f0638cfe
CVE-2013-0861, 43c6b45a53a186a187f7266e4d6bd3c2620519f1 / d270c3202539e8364c46410e15f7570800e33343

1.1

Fixes following vulnerabilities:

CVE-2013-0844, f18c873ab5ee3c78d00fdcc2582b39c133faecb4
CVE-2013-0845, 0ceca269b66ec12a23bf0907bd2c220513cdbf16
CVE-2013-0846, a7ee6281f7ef1c29284e3a4cadfe0f227ffde1ed
CVE-2013-0847, 10416a4d56fa8a89784e4fb62099c3cab17a9952
CVE-2013-0848, 6abb9a901fca27da14d4fffbb01948288b5da3ba
CVE-2013-0849, 3ae610451170cd5a28b33950006ff0bd23036845
CVE-2013-0850, d6c184880ee2e09fd68c0ae217173832cee5afc1
CVE-2013-0851, 63ac64864c6e0e84355aa3caa5b92208997a9a8d
CVE-2013-0852, c0d68be555f5858703383040e04fcd6529777061
CVE-2013-0853, be818df547c3b0ae4fadb50fd210139a8636706a
CVE-2013-0854, 1f41cffe1e3e79620f587545bdfcbd7e6e68ed29
CVE-2013-0855, 3920d1387834e2bc334aff9f518f4beb24e470bd
CVE-2013-0856, fd4f4923cce6a2cbf4f48640b4ac706e614a1594
CVE-2013-0857, 2fbb37b51bbea891392ad357baf8f3dff00bac05
CVE-2013-0858, 13451f5520ce6b0afde861b2285dda659f8d4fb4
CVE-2013-0859, 6d1c5ea04af3e345232aa70c944de961061dab2d

FFmpeg 1.0

1.0.4

Fixes following vulnerabilities:

CVE-2013-0866, c459c7b23efffab762560e41ad6a2c0dbbfd4915 / 96f452ac647dae33c53c242ef3266b65a9beafb6
CVE-2013-0865, 08e2c7a45f82b897a285548c257972eb1ad352c5 / ab6c9332bfa1e20127a16392a0b85a4aa4840889
CVE-2013-0863, 89e16e675d3cbe76cf4581f98bf4ac300cab0286 / 7357ca900efcf829de4cce4cec6ddc286526d417
CVE-2013-0861, 4cd1dad91ae97fe1f0dd534c3f5566787566f137 / d270c3202539e8364c46410e15f7570800e33343
CVE-2013-0860, 3e196e4def03c7a91423803402f84d638d316c33 / 23318a57358358e7a4dc551e830e4503f0638cfe
CVE-2013-0858, 2502914c5f8eb77659d7c0868396862557a63245 / 13451f5520ce6b0afde861b2285dda659f8d4fb4
CVE-2013-0845, 6df0d3e2916c223dbe4262bf1b876dff1cb3f980 / 0ceca269b66ec12a23bf0907bd2c220513cdbf16
CVE-2013-0844, 85a14dbd5dca34320f58b1ba11dd6dd0df4fb3be / f18c873ab5ee3c78d00fdcc2582b39c133faecb4
CVE-2013-0868, b666debffec1fcbb19ef377635a53b9a58bca8a4 / f67a0d115254461649470452058fa3c28c0df294
               db0f7f7394e1f994ed38db043f78ed0f10bde0da / 0dfc01c2bbf4b71bb56201bc4a393321e15d1b31
CVE-2013-0862, 8eda88868399de00806cf21a966d9660db4ae9b4 / 49b729d3af8464de431362e6c5b3027102bc2f88

1.0.2

Fixes following (minor) vulnerabilities:

commit 20c121c00747d6c3b0b0f98deeff021171b2ed74 / c83002a4f8042ccfa0688a9a18e8fa0369c1fda8
commit 68e48ed72e0597ae61bc3e9e6e6d9edcb1a00073 / 7d66bc7920240cc0e8df6c44b2d2cdbe4b228fbe
commit 9929991da7b843e7d80154fcacc4e80579b86a2d / cbe43e62c9ac7d4aefdc13476f6f691bd626525f
commit e74cd2f4706f71da5e9205003c1d8263b54ed3fb / 03847eb8259291b4ff1bd840bd779d0699d71f96

1.0.1

Fixes following vulnerabilities:

CVE-2013-0859, 0b9be54e97fa574867d5e99a3623d1db7df7b274 / 6d1c5ea04af3e345232aa70c944de961061dab2d
CVE-2013-0857, 112d4c400f0e0d5d1621fc8db515907cffaae259 / 2fbb37b51bbea891392ad357baf8f3dff00bac05
CVE-2013-0856, e0884eadf6a15e93142131b695f48776f9a0ac31 / fd4f4923cce6a2cbf4f48640b4ac706e614a1594
CVE-2013-0855, c8c9740ee1ea4a4f857a24b1ce05dcd07b72ec2d / 3920d1387834e2bc334aff9f518f4beb24e470bd
CVE-2013-0853, c51c5f83c13b0fa3e332e59bf764fdc598476b2e / be818df547c3b0ae4fadb50fd210139a8636706a
CVE-2013-0852, 28bf685bfc6d0c744369cdf367f61a78d80d0b01 / c0d68be555f5858703383040e04fcd6529777061
CVE-2013-0851, c8833a13cf530fbf5b1d579cd1ae527a0904403f / 63ac64864c6e0e84355aa3caa5b92208997a9a8d
CVE-2013-0850, c82d6e05da0898c45ae915fb808e175f6a4ec7e5 / d6c184880ee2e09fd68c0ae217173832cee5afc1
CVE-2013-0849, 38e8f78c041bd28f5b8d32f2fd945eae8ce28598 / 3ae610451170cd5a28b33950006ff0bd23036845
CVE-2013-0848, 74241de7ed501a34e7dfe291eed3339ca7b50755 / 6abb9a901fca27da14d4fffbb01948288b5da3ba
CVE-2013-0846, e34369e8ece08b7bd820366dea5965f4c40c0080 / a7ee6281f7ef1c29284e3a4cadfe0f227ffde1ed

FFmpeg 0.11

0.11.4

Fixes following vulnerabilities:

CVE-2013-0869, 1934bb75361e7859873c6bf94ee1ceb17981c550 / 695af8eed642ff0104834495652d1ee784a4c14d
CVE-2013-4358, 39ed5442620a7a0fd2328b7d4aefc6ae152c5441 / b9d887c225466576ae80ef7f2b109e866ff137b2

0.11

Fixes following vulnerabilities:

CVE-2012-2772, cb7190cd2c691fd93e4d3664f3fce6c19ee001dd
CVE-2012-2774, 59a4b73531428d2f420b4dad545172c8483ced0f
CVE-2012-2775, 9d3032b960ae03066c008d6e6774f68b17a1d69d
CVE-2012-2776, ba775a54bc2136ec5da85385a923b05ee6fab159
CVE-2012-2777, 25715064c2ef4978672a91f8c856f3e8809a7c45
CVE-2012-2779, 229e4c133287955d5f3f837520a3602709b21950
CVE-2012-2782, 9a57a37b7041581c10629c8241260a5d7bfbc1e7
CVE-2012-2783, d85b3c4fff4c4b255232fcc01edbd57f19d60998
CVE-2012-2785, 326f7a68bbd429c63fd2f19f4050658982b5b081
               d462949974668ffb013467d12dc4934b9106fe19
CVE-2012-2786, d1c95d2ce39560e251fdb14f4af91b04fd7b845c
CVE-2012-2787, 01bf2ad7351fdaa2e21b6bdf963d22d6ffccb920
CVE-2012-2788, c41ac870470c614185e1752c11f892809022248a
CVE-2012-2789, 97a5addfcf0029d0f5538ed70cb38cae4108a618
CVE-2012-2790, 2837d8dc276760db1821b81df3f794a90bfa56e6
CVE-2012-2791, 0846719dd11ab3f7a7caee13e7af71f71d913389
CVE-2012-2792, d442c4462a2692e27a24e1a9d0eb6f18725c7bd8
CVE-2012-2793, 83c7803f55b3231faeb93c1a634399a70fae9480
CVE-2012-2794, 5ad7335ebac2b38bb2a1c8df51a500b78461c05a
CVE-2012-2795, a0abefb0af64a311b15141062c77dd577ba590a3
               2a7063de547b1d8fb1cef523469390fb59fb2c50
               b3a43515827f3d22a881c33b87384f01c86786fd
CVE-2012-2796, 5e59a77cec804a9b44c60ea22c17beba6453ef23
CVE-2012-2797, cca9528524c7a4b91451f4322bd50849af5d057e
CVE-2012-2798, 72b9537d8886f679494651df517dfed9b420cf1f
CVE-2012-2799, 64bd7f8e4db1742e86c5ed02bd530688b74063e3
CVE-2012-2800, f0bf9e9c2a65e9a2b9d9e4e94f99acb191dc7ae7
CVE-2012-2801, 1df49142bab1b7bccd11392aa9e819e297d21a6e
CVE-2012-2802, 2c22701c371c2f3dea21fcdbb97c981939fb77af
CVE-2012-2803, 951cbea56fdc03ef96d07fbd7e5bed755d42ac8a
CVE-2012-2804, 4a80ebe491609e04110a1dd540a0ca79d3be3d04

FFmpeg 0.10

0.10.7

Fixes following vulnerabilities:

CVE-2013-0868, b07c791252707c88f610daa668eae3ddc6fbccc7 / 0dfc01c2bbf4b71bb56201bc4a393321e15d1b31
               ba4b57e8024a9635b4eaf7f3cc08837b065bd4c9 / f67a0d115254461649470452058fa3c28c0df294
c3d7c805bc9c1ed584e92649cd8fa8cbb7010967 / c83002a4f8042ccfa0688a9a18e8fa0369c1fda8

0.10.6

Fixes following vulnerabilities:

CVE-2012-2796, CVE-2012-2775, CVE-2012-2772, CVE-2012-2776,
CVE-2012-2779, CVE-2012-2787, CVE-2012-2794, CVE-2012-2800,
CVE-2012-2802, CVE-2012-2801, CVE-2012-2786, CVE-2012-2798,
CVE-2012-2793, CVE-2012-2789, CVE-2012-2788, CVE-2012-2790,
CVE-2012-2777, CVE-2012-2784

0.10.3

Fixes following vulnerabilities:

CVE-2012-0947, CVE-2012-2771, CVE-2012-2773, CVE-2012-2778, CVE-2012-2780,
CVE-2012-2781, CVE-2012-2805,

0.10

Fixes following vulnerabilities:

CVE-2011-3929, CVE-2011-3934, CVE-2011-3935, CVE-2011-3936,
CVE-2011-3937, CVE-2011-3940, CVE-2011-3941, CVE-2011-3944,
CVE-2011-3945, CVE-2011-3946, CVE-2011-3947, CVE-2011-3949,
CVE-2011-3950, CVE-2011-3951, CVE-2011-3952

and several others that do not have a CVE number. Many of these issues can be exploited when a remote file is played back and some are probable arbitrary code execution vulnerabilities.

FFmpeg 0.10 is unaffected by:

CVE-2011-3930, CVE-2011-3931, CVE-2011-3932, CVE-2011-3933,
CVE-2011-3938, CVE-2011-3939, CVE-2011-3942, CVE-2011-3943,
CVE-2011-3948.

FFmpeg 0.9

0.9.1

Fixes following vulnerabilities:

CVE-2011-3893, CVE-2011-3895,

CVE-2012-0847 FFmpeg ae21776207e8a2bbe268e7c9e203f7599dd87ddb lavfi:
add missing check in avfilter_filter_samples()

CVE-2012-0848 FFmpeg 5257743aee0c3982f0079e6553aabc6aa39401d2 ws_snd1:
Fix wrong samples count and crash.

CVE-2012-0849 FFmpeg 1f99939a6361e2e6d6788494dd7c682b051c6c34 j2kdec:
Fix integer overflow leading to a segfault

CVE-2012-0850 FFmpeg 944f5b2779e4aa63f7624df6cd4de832a53db81b aacsbr:
Fix memory corruption.

CVE-2012-0851 FFmpeg 7fff64e00d886fde11d61958888c82b461cf99b9 h264:
check chroma_format_idc range.

CVE-2012-0852 FFmpeg 608708009f69ba4cecebf05120c696167494c897 adpcm:
Fix crash

CVE-2012-0853 FFmpeg 9af6abdc17deb95c9b1f1d9242ba49b8b5e0b016 atrac3:
Fix crash in tonal component decoding.

CVE-2012-0854 FFmpeg 6d8e6fe9dbc365f50521cf0c4a5ffee97c970cb5
CODEC_ID_SOL_DPCM: Fix used write buffer.

CVE-2012-0855 FFmpeg 3eedf9f716733b3b4c5205726d2c1ca52b3d3d78 j2kdec:
Check curtileno for validity

CVE-2012-0856 FFmpeg 21270cffaeab2f67a613907516b2b0cd6c9eacf4 h263dec:
Fix regression / crash with lowres.

CVE-2012-0857 FFmpeg 282bb02839b1ce73963c8e3ee46804f1ade8b12a j2kdec:
Fix crash in get_qcx

CVE-2012-0858 FFmpeg 18bcfc912e48bf77a5202a0e24a3b884b9b2ff2c shorten:
Fix invalid free()

CVE-2012-0859 FFmpeg 6fcf2bb8af0e7d6bb179e71e67e5fab8ef0d2ec2 vorbis:
Fix last quarter of CVE-2011-3893

and more security issues that have no CVE number. Many of these issues can be exploited when a remote file is played back and a few are probable arbitrary code execution vulnerabilities

FFmpeg 0.8

0.8.11

Fixes following vulnerabilities:

CVE-2012-0853, CVE-2012-0858, CVE-2011-3929, CVE-2011-3936,
CVE-2011-3937, CVE-2011-3940, CVE-2011-3945, CVE-2011-3947
Several security issues that dont have CVE numbers.

0.8.10

Fixes CVE-2011-3893 and CVE-2011-3895, and many more

0.8.7

Fixes CVE-2011-4352/NGS00145, CVE-2011-4579/NGS00148, CVE-2011-4351, NGS00144, CVE-2011-4353 among others

0.8.6

Fixes CVE-2011-3892 among others

0.8.5

Fixes CVE-2011-4364 among others

FFmpeg 0.7

0.7.12

Fixes following vulnerabilities:

CVE-2012-0853, CVE-2012-0858, CVE-2011-3929, CVE-2011-3936,
CVE-2011-3937, CVE-2011-3940, CVE-2011-3945, CVE-2011-3947
Several security issues that dont have CVE numbers.

0.7.11

Fixes CVE-2011-3893 and CVE-2011-3895, and many more

0.7.8

Fixes CVE-2011-4352, CVE-2011-4579, CVE-2011-4351, CVE-2011-4353

0.7.7

Fixes CVE-2011-3892

0.7.6

Fixes CVE-2011-4364 among others

FFmpeg 0.6

0.6.5

Fixes CVE-2011-3892, CVE-2011-3893, CVE-2011-3895

0.6.4

Fixes CVE-2011-4352, CVE-2011-4579, CVE-2011-4353, CVE-2011-4351, CVE-2011-4364

FFmpeg 0.5

0.5.8

Fixes CVE-2011-3892, CVE-2011-3893, CVE-2011-3895

0.5.7

CVE-2011-4353

0.5.6

Fixes CVE-2011-4579, CVE-2011-4351

0.5.5

Fixes CVE-2011-3504, CVE-2011-3362, CVE-2011-3973, CVE-2011-3974

0.5.4

Fixes CVE-2010-3908, CVE-2011-0722, CVE-2010-4704, CVE-2011-0480, CVE-2011-0723