CVE-2022-1475: 
Ffmpeg vulnerability analysis and mitigation

An integer overflow vulnerability was discovered in FFmpeg versions before 4.4.2 and before 5.0.1 in the g729parse() function within llibavcodec/g729parser.c. The vulnerability is tracked as CVE-2022-1475 and was disclosed on May 2, 2022. The issue affects FFmpeg, a complete solution for recording, converting, and streaming audio and video (NVD, CVE).

The vulnerability occurs in the g729_parse() function when processing specially crafted files. The issue manifests as a signed integer overflow condition, specifically when performing the calculation '10 * 808464428' which cannot be represented in the int data type. This leads to undefined behavior as identified by UndefinedBehaviorSanitizer. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD, FFmpeg Ticket).

When exploited, this vulnerability can lead to a denial of service (DoS) condition through application crash. The issue affects the parsing of G.729 audio codec data, which could be triggered when processing specially crafted media files (RedHat Bugzilla).

The vulnerability has been fixed in FFmpeg versions 4.4.2 and 5.0.1. Users are advised to upgrade to these or later versions. The fix was implemented through commit 757da974b21833529cc41bdcc9684c29660cdfa8 in the FFmpeg repository (FFmpeg Ticket, Gentoo Advisory).