CVE-2020-24020: 
Ffmpeg vulnerability analysis and mitigation

Buffer Overflow vulnerability was discovered in FFmpeg 4.2.3 affecting the dnnexecutelayerpad function in libavfilter/dnn/dnnbackendnativelayer_pad.c. The vulnerability is due to a call to memcpy without length checks, which could potentially allow a remote malicious user to execute arbitrary code (NVD, FFmpeg Ticket).

The vulnerability exists in all four different memcpy calls within the dnnexecutelayerpad function. An integer overflow occurs when calculating the destination buffer size using calculateoperanddatalength function. This could allow an attacker to control the address of the source and destination buffer inside the memcpy and cause a read/write overflow. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could potentially allow an attacker to execute arbitrary code through buffer overflow exploitation. However, it's important to note that this is only possible if the attacker has full control over the ffmpeg command line, in which case the system would already be compromised independently of this bug (FFmpeg Ticket).

The vulnerability has been fixed in FFmpeg through commit 584f396132aa19d21bb1e38ad9a5d428869290cb. Users should upgrade to a patched version of FFmpeg to mitigate this vulnerability (FFmpeg Commit).