Bug 13489

Please patch CVEs for package ffmpeg version 4.4.3
  
INFO (CVEs are): ffmpeg 4.4.3
 cves found
CVE-2022-3109
Desc: An issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause a null pointer dereference, impacting availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-3109
Severity: HIGH
CVE-2022-3341
Desc: A null pointer dereference issue was discovered in 'FFmpeg' in decode_main_header() function of libavformat/nutdec.c file. The flaw occurs because the function lacks check of the return value of avformat_new_stream() and triggers the null pointer dereference error, causing an application to crash.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-3341
Severity: MEDIUM
CVE-2022-3964
Desc: A vulnerability classified as problematic has been found in ffmpeg. This affects an unknown part of the file libavcodec/rpzaenc.c of the component QuickTime RPZA Video Encoder. The manipulation of the argument y_size leads to out-of-bounds read. It is possible to initiate the attack remotely. The name of the patch is 92f9b28ed84a77138105475beba16c146bdaf984. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-213543.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-3964
Severity: HIGH
CVE-2022-48434
Desc: libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used).
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-48434
Severity: HIGH