CVE-2019-19887
Description
bitstr_tell at bitstr.c in ffjpeg through 2019-08-21 has a NULL pointer dereference related to jfif_encode.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in ffjpeg's bitstr_tell function, triggered by jfif_encode, causes a denial of service via crafted BMP input.
Vulnerability
A NULL pointer dereference vulnerability exists in bitstr_tell at bitstr.c in ffjpeg through 2019-08-21, reachable via the jfif_encode function. When processing a specially crafted BMP file, the stream pointer passed to bitstr_tell is NULL, leading to a segmentation fault. The affected code path is triggered during JPEG encoding of malicious input. [1]
Exploitation
An attacker must provide a malformed BMP file to the ffjpeg -e command on a system with the vulnerable ffjpeg version. No authentication or special network position is required; the attack is local. The specific crash occurs at bitstr.c:221 when the NULL stream pointer is dereferenced to read the type field. [1]
Impact
Successful exploitation results in a denial of service (DoS) due to program crash (SIGSEGV). No information disclosure, privilege escalation, or remote code execution is implied by the available references. [1]
Mitigation
The fix involves adding a NULL check at the beginning of bitstr_tell, returning EOF if stream is NULL, as shown in the advisory [1]. No official patched release or date has been disclosed; users should apply the patch manually or avoid processing untrusted BMP files with ffjpeg.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- ffjpeg/ffjpegdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/rockcarry/ffjpeg/issues/14mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.