FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

ffmpeg -- multiple vulnerabilities

Affected packages
5.1,1 <= ffmpeg < 5.1.3,1
5.0,1 <= ffmpeg < 5.0.3,1
ffmpeg < 4.4.4,1
ffmpeg4 < 4.4.4
avidemux <= 2.9
0 <= emby-server
0 <= emby-server-devel
handbrake < 1.6.0
mythtv <= 33.0,1
mythtv-frontend <= 33.0,1


VuXML ID faf7c1d0-f5bb-47b4-a6a8-ef57317b9766
Discovery 2022-11-12
Entry 2023-04-07
Modified 2023-04-10

NVD reports:

An issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause a null pointer dereference, impacting availability.

A null pointer dereference issue was discovered in 'FFmpeg' in decode_main_header() function of libavformat/nutdec.c file. The flaw occurs because the function lacks check of the return value of avformat_new_stream() and triggers the null pointer dereference error, causing an application to crash.

A vulnerability classified as problematic has been found in ffmpeg. This affects an unknown part of the file libavcodec/rpzaenc.c of the component QuickTime RPZA Video Encoder. The manipulation of the argument y_size leads to out-of-bounds read. It is possible to initiate the attack remotely. The name of the patch is 92f9b28ed84a77138105475beba16c146bdaf984. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-213543.


CVE Name CVE-2022-3109
CVE Name CVE-2022-3341
CVE Name CVE-2022-3964