CVE-2024-36615: 
Ffmpeg vulnerability analysis and mitigation

FFmpeg n7.0 contains a race condition vulnerability (CVE-2024-36615) in its VP9 decoder component. The vulnerability was discovered in the video encoding parameters export functionality, where side data would be attached in the decoder thread while being read in the output thread, potentially leading to a data race condition (FFmpeg Commit).

The vulnerability occurs specifically in the VP9 decoder when outputting a show-existing frame. The decoder would create a reference to the frame and return it immediately to the caller without waiting for it to finish decoding. In frame-threading scenarios, the frame might only be decoded while waiting to be output. This becomes problematic when video encoding parameters are being exported, as the side data attachment in the decoder thread and reads in avframeref() in the output thread create a data race condition (FFmpeg Commit).

The race condition could lead to data corruption or inconsistencies when video encoding parameters are being exported. This particularly affects applications using the vencdatadump tool with specific VP9 video files, such as vp90-2-10-show-existing-frame.webm from the FATE-suite (FFmpeg Commit).

The issue has been fixed by implementing proper synchronization, ensuring that the frame is fully decoded before being output. The fix involves waiting for the frame to be completely processed before allowing it to be output, preventing the race condition (FFmpeg Commit).