Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 886497 (CVE-2022-3109) - <media-video/ffmpeg-5.1: null pointer dereference
Summary: <media-video/ffmpeg-5.1: null pointer dereference
Alias: CVE-2022-3109
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [upstream/ebuild]
Depends on:
Reported: 2022-12-17 21:30 UTC by John Helmert III
Modified: 2023-05-04 13:19 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-17 21:30:57 UTC
CVE-2022-3109 (

An issue was discovered in the FFmpeg through 3.0. vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause the null pointer dereference, impacting confidentiality and availability.

Bit weird to refer to 3.0 when the issue was fixed in 5.1. Not sure
how a crash could affect confidentiality, either. Doesn't seem to have
been backported.
Comment 1 Pacho Ramos gentoo-dev 2023-05-02 13:59:40 UTC
Ubuntu should have backported patches:

But I cannot locate them... I guess they are "closed" behind that ESM stuff? :S