{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "11.11" }, { "introduced": "0" }, { "last_affected": "12.0" }, { "introduced": "0" }, { "last_affected": "12.1" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "8a212b1d060267671823f562baaea570194770f5" }, { "introduced": "0" }, { "last_affected": "11cd727fbd603197cb1e49654fce3352d56f8fd8" }, { "introduced": "0" }, { "last_affected": "c9ea47b37813c513e9d5e46bfceaa54f63e8e8bd" }, { "fixed": "cd4663dc80323ba64989d0c103d51ad3ee0e9c2f" } ], "repo": "https://github.com/libav/libav", "type": "GIT" } ] } ], "details": "In Libav through 11.11 and 12.x through 12.1, the smacker_decode_tree function in libavcodec/smacker.c does not properly restrict tree recursion, which allows remote attackers to cause a denial of service (bitstream.c:build_table() out-of-bounds read and application crash) via a crafted Smacker stream.", "id": "CVE-2017-16803", "modified": "2026-03-15T13:47:21.422743295Z", "published": "2017-11-13T17:29:00.567Z", "references": [ { "type": "ADVISORY", "url": "http://www.securityfocus.com/bid/101882" }, { "type": "ADVISORY", "url": "https://security.gentoo.org/glsa/201811-19" }, { "type": "ADVISORY", "url": "https://www.debian.org/security/2018/dsa-4119" }, { "type": "REPORT", "url": "https://bugzilla.libav.org/show_bug.cgi?id=1098" }, { "type": "REPORT", "url": "https://github.com/libav/libav/commit/cd4663dc80323ba64989d0c103d51ad3ee0e9c2f" } ], "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ] }