OSS-Fuzz is a Continuous Fuzzing for Open Source Software. See $URL for more details about the issue. Commit fix: https://github.com/FFmpeg/FFmpeg/commit/f1baafac7129c3bb8d4abaaa899988c7a51ca5cd @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
this does not seem fixed in 3.3.3
note: 3.3.3 can go stable; but bug #626414 is not yet fixed
(In reply to Alexis Ballier from comment #2) > note: 3.3.3 can go stable; but bug #626414 is not yet fixed sorry, wrong bug
(In reply to Alexis Ballier from comment #1) > this does not seem fixed in 3.3.3 How can this issue be reproduced with FFmpeg 3.3.3? Did you find any FFmpeg release that allows reproducing this issue? The issue was introduced in June 2017, and 3.3 was released in April...
(In reply to Carl Eugen Hoyos from comment #4) > (In reply to Alexis Ballier from comment #1) > > this does not seem fixed in 3.3.3 > > How can this issue be reproduced with FFmpeg 3.3.3? > Did you find any FFmpeg release that allows reproducing this issue? > > The issue was introduced in June 2017, and 3.3 was released in April... I did not try to reproduce and had not realized this applied to git master only (where is this mentioned?); I just checked for the relevant backports in release/3.3 and if the fixed code was present in 3.3.3. A closer look shows that indeed this applies only to the new features introduced after 3.3 had been released. This is a non-issue then, thanks Carl.
Per previous comments from maintainer this vulnerability was introduced after the 3.3.x branch. 3.4.1 is current unstable ebuild in tree and is fixed.