CVE-2021-45385
Description
A Null Pointer Dereference vulnerability exits in ffjpeg d5cfd49 (2021-12-06) in bmp_load(). When the size information in metadata of the bmp is out of range, it returns without assign memory buffer to pb->pdata and did not exit the program. So the program crashes when it tries to access the pb->data, in jfif_encode() at jfif.c:763. This is due to the incomplete patch for CVE-2020-13438.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Null pointer dereference in ffjpeg bmp_load() causes SEGV when processing a BMP with out-of-range dimensions.
Vulnerability
In ffjpeg commit d5cfd49 (2021-12-06), the function bmp_load() in bmp.c does not allocate a memory buffer to pb->pdata when the BMP file's width and height metadata specifies dimensions that are out of range. Instead, the function returns to the caller without exiting, leaving pb->pdata as a null pointer. The incomplete patch for CVE-2020-13438 failed to address this code path. When jfif_encode() at jfif.c:763 subsequently attempts to access pb->pdata (dereferenced as bsrc[2], bsrc[1], bsrc[0]), a segmentation fault occurs. This affects all versions of ffjpeg up to and including commit d5cfd49 [1][2].
Exploitation
An attacker needs only to provide a specially crafted BMP file that has out-of-range width and height values. The victim must run ffjpeg with the -e option (encode to JPEG) pointing to that malicious BMP file. No special network position, authentication, or other privileges are required. The program executes bmp_load(), which detects the out-of-range condition, prints a message, and jumps to done, but does not allocate pb->pdata. Execution proceeds to jfif_encode(), where the null pointer is dereferenced on line 763, causing a segmentation fault [1].
Impact
Successful exploitation results in a null pointer dereference that causes the program to crash (segmentation fault). This is a denial-of-service (DoS) condition. There is no information disclosure, privilege escalation, or code execution implied by the available references. The crash terminates the encoding process and may be used repeatedly to disrupt service availability [1].
Mitigation
A fix was provided in pull request #48, which adds an exit(1) call in bmp_load() after the out-of-range detection, preventing the null dereference [2]. Users should apply the patch from commit d5cfd49 onward or update to a version that includes this fix. No workaround is available without patching, as the vulnerable code path is triggered by standard file processing. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of publication.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- ffjpeg/ffjpegdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/rockcarry/ffjpeg/issues/47mitrex_refsource_MISC
- github.com/rockcarry/ffjpeg/pull/48mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.