CVE-2020-36407

NameCVE-2020-36407
Descriptionlibavif 0.8.0 and 0.8.1 has an out-of-bounds write in avifDecoderDataFillImageGrid.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libavif (PTS)bullseye0.8.4-2+deb11u1fixed
bookworm0.11.1-1fixed
sid, trixie1.0.4-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libavifsource(unstable)0.8.2-1

Notes

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24811
https://github.com/AOMediaCodec/libavif/commit/0a8e7244d494ae98e9756355dfbfb6697ded2ff9
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libavif/OSV-2020-1597.yaml
Search for package or bug name: Reporting problems