^{CVE-2020-22037:}Memory Leak in FFmpeg 4.2 Leading to Denial of Service

Overview

FFmpeg is a widely used multimedia framework that includes libraries and programs for handling video, audio, and other multimedia files and streams. The vulnerability affects version 4.2 and potentially earlier versions. The issue occurs in the avcodec_alloc_context3 function in options.c, which is responsible for allocating memory for codec contexts. Due to improper memory management, the function fails to release allocated memory under certain conditions, leading to memory leaks. When processing malicious or specially crafted media files, this vulnerability can be triggered repeatedly, causing the application to consume increasing amounts of memory until system resources are exhausted, resulting in a denial of service.

Remediation

Users and administrators should update to the latest version of FFmpeg that contains the fix for this vulnerability. Debian users should apply the security updates mentioned in the Debian security advisories DSA-4990, DSA-4998, and DLA 2818-1. If immediate updating is not possible, consider implementing resource limits for applications using FFmpeg to mitigate the impact of potential memory leaks. Additionally, avoid processing untrusted media files with affected versions of FFmpeg. For developers using FFmpeg libraries, ensure proper memory management practices are followed and consider implementing additional checks for memory usage when processing external media files.

References

1. Debian LTS Security Advisory: https://lists.debian.org/debian-lts-announce/2021/11/msg00012.html
2. FFmpeg Ticket #8281 with patch details: https://trac.ffmpeg.org/ticket/8281
3. Debian Security Advisory DSA-4990: https://www.debian.org/security/2021/dsa-4990
4. Debian Security Advisory DSA-4998: https://www.debian.org/security/2021/dsa-4998
5. Common Weakness Enumeration (CWE-401): Memory Leak