An issue was discovered in the FFmpeg through 3.0. vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause the null pointer dereference, impacting confidentiality and availability.
Bit weird to refer to 3.0 when the issue was fixed in 5.1. Not sure
how a crash could affect confidentiality, either. Doesn't seem to have
Ubuntu should have backported patches:
But I cannot locate them... I guess they are "closed" behind that ESM stuff? :S