ffmpeg QuickTime RPZA Video Encoder libavcodec/rpzaenc.c y_size out-of-bounds
A vulnerability classified as problematic has been found in ffmpeg. This affects an unknown part of the file libavcodec/rpzaenc.c of the component QuickTime RPZA Video Encoder. The manipulation of the argument y_size leads to out-of-bounds read. The CWE definition for the vulnerability is CWE-125. The weakness was presented 11/13/2022 as 92f9b28ed84a77138105475beba16c146bdaf984. It is possible to read the advisory at git.ffmpeg.org. This vulnerability is uniquely identified as CVE-2022-3964. It is possible to initiate the attack remotely. Technical details are available. There is no exploit available. The pricing for an exploit might be around USD $0-$5k at the moment. It is declared as not defined. We expect the 0-day to have been worth approximately $0-$5k. The patch is named 92f9b28ed84a77138105475beba16c146bdaf984. The bugfix is ready for download at git.ffmpeg.org. It is recommended to apply a patch to fix this issue. A possible mitigation has been published even before and not after the disclosure of the vulnerability.