Vulnerabilities > CVE-2021-45385 - NULL Pointer Dereference vulnerability in Rockcarry Ffjpeg 20211206

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

rockcarry

CWE-476

NVD

Published: 2022-02-11

Updated: 2023-08-17

Summary

A Null Pointer Dereference vulnerability exits in ffjpeg d5cfd49 (2021-12-06) in bmp_load(). When the size information in metadata of the bmp is out of range, it returns without assign memory buffer to `pb->pdata` and did not exit the program. So the program crashes when it tries to access the pb->data, in jfif_encode() at jfif.c:763. This is due to the incomplete patch for CVE-2020-13438.

Vulnerable Configurations

Part	Description	Count
Application	Rockcarry Rockcarry Ffjpeg 2021-12-06	1

Common Weakness Enumeration (CWE)

CWE-476 - NULL Pointer Dereference

References

https://github.com/rockcarry/ffjpeg/pull/48
https://github.com/rockcarry/ffjpeg/issues/47