The cavs_idct8_add_c function in libavcodec/cavsdsp.c in FFmpeg prior to 3.1.4 is vulnerable to reading out-of-bounds memory when decoding with cavs_decode.
ffmpeg ffmpeg