{
  "affected": [
    {
      "database_specific": {
        "unresolved_ranges": [
          {
            "events": [
              {
                "introduced": "0"
              },
              {
                "last_affected": "9.0"
              }
            ]
          }
        ]
      },
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0"
              },
              {
                "last_affected": "4.0.1"
              }
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "e049f7c24fc6aa5fc925f860e2ad940a75cfd84f"
            },
            {
              "fixed": "ed22dc22216f74c75ee7901f82649e1ff725ba50"
            }
          ],
          "repo": "https://github.com/ffmpeg/ffmpeg",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "In FFmpeg 4.0.1, improper handling of frame types (other than EAC3_FRAME_TYPE_INDEPENDENT) that have multiple independent substreams in the handle_eac3 function in libavformat/movenc.c may trigger an out-of-array access while converting a crafted AVI file to MPEG4, leading to a denial of service or possibly unspecified other impact.",
  "id": "CVE-2018-13302",
  "modified": "2026-03-10T13:36:37.977595723Z",
  "published": "2018-07-05T17:29:00.437Z",
  "references": [
    {
      "type": "WEB"
    },
    {
      "type": "ADVISORY",
      "url": "http://www.securityfocus.com/bid/104675"
    },
    {
      "type": "ADVISORY",
      "url": "https://www.debian.org/security/2018/dsa-4249"
    },
    {
      "type": "FIX",
      "url": "https://github.com/FFmpeg/FFmpeg/commit/ed22dc22216f74c75ee7901f82649e1ff725ba50"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}