aa_read_header in libavformat/aadec.c in FFmpeg before 3.2.14 and 4.x before 4.1.4 does not check for sscanf failure and consequently allows use of uninitialized variables. See e.g. https://security-tracker.debian.org/tracker/CVE-2019-12730, https://nvd.nist.gov/vuln/detail/CVE-2019-12730. Impact: Critical (cvss v3.0) / high (cvss v2.0) Best regards.
*ping*
This should of been stable, resetting it with depends on 711144 which is undergoing stabilization. Added to an existing GLSA Request.
This issue was resolved and addressed in GLSA 202003-65 at https://security.gentoo.org/glsa/202003-65 by GLSA coordinator Thomas Deutschmann (whissi).