Backporting of fixes for CVE-2020-35965/oss-fuzz issue 26532 to FFmpeg 4.3
|Reported by:||Jonas Witschel||Owned by:|
|Blocking:||Reproduced by developer:||no|
|Analyzed by developer:||no|
According to the CVE description and the oss-fuzz issue details, this vulnerability is fixed by two commits, b0a8b40294ea212c1938348ff112ef1b9bf16bb3 ("avcodec/exr: skip bottom clearing loop when its outside the image") and 3e5959b3457f7f1856d997261e6ac672bba49e8b ("avcodec/exr: Check ymin vs. h").
However, only the latter seems to have been backported to the release/4.3 branch (as commit a53ffb15d8ae9bed14041b4cf62e436852e95431) and thus has been included in the FFmpeg 4.3.2 release. Is this correct, or does the former commit need to be backported as well?