[Suggested description] An issue was discovered in the FFmpeg through 3.0. vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause the null pointer dereference. ------------------------------------------ [VulnerabilityType Other] NULL Pointer Dereference ------------------------------------------ [Vendor of Product] the development group ------------------------------------------ [Affected Product Code Base] FFmpeg - 3.0 ------------------------------------------ [Reference] https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568 ------------------------------------------ [Discoverer] Jiasheng Jiang
This was actually fixed in FFmpeg 5.1.
I've sent the following mail to secalert AT redhat.com: "Hi, CVE-2022-3109 should be updated to say the vulnerable versions are <5.1. Claiming that "ffmpeg though 3.0" is affected softly implies that a version soon after 3.0 contains a fix for the vulnerability, but that is not the case since the patch made it into ffmpeg-5.1. The CVE description also claims that the bug affect confidentiality. How does a null pointer dereference affect confidentiality?"
Created ffmpeg tracking bugs for this issue: Affects: fedora-36 [bug 2154844] Created qt5-qtwebengine tracking bugs for this issue: Affects: epel-8 [bug 2154846] Affects: fedora-36 [bug 2154847] Affects: fedora-37 [bug 2154848]