Hi! > CVE-2022-38600[0]: > | Mplayer SVN-r38374-13.0.1 is vulnerable to Memory Leak via vf.c and > | vf_vo.c. > > https://trac.mplayerhq.hu/ticket/2390#comment:2 > https://git.ffmpeg.org/gitweb/mplayer.git/commit/59792bad144c11b21b27171a93a36e3fbd21eb5e > (r38380) > Followup: > https://git.ffmpeg.org/gitweb/mplayer.git/commit/48ca1226397974bb2bc53de878411f88a80fe1f8 > (r38392)
I would advise consideration on whether this should be considered relevant for Debian security. This is a minor memory leak that happens for files that cannot be played properly (and the leak is linear with number of files played), and MPlayer is rarely used to play many broken videos (i.e. ones that will not show any video) in sequence. I.e. worst case this is a hard (as in, takes a long time and many files) to trigger DoS for a tiny, tiny percentage of users. > CVE-2022-38862[3]: > | Certain The MPlayer Project products are vulnerable to Buffer Overflow > | via function play() of libaf/af.c:639. This affects mplayer > | SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1. > > https://trac.mplayerhq.hu/ticket/2400 > https://trac.mplayerhq.hu/ticket/2404 These have not been reproduced, even the reporter could not reproduce using valgrind, and I could reproduce with neither valgrind nor ASAN. It could simply be a bug in the specific ASAN version used by the reporter. Code review has not left me 100% confident whether there might be a real issue in this code or not. Even if it is a real issue it is possible it affects only MEncoder, not MPlayer. Best regards, Reimar
