Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 86870 Details for
Bug 133520
{media-video/ffmpeg|media-libs/xine-lib} multiple issues (CVE-200{5-4048|6-2802})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
ffmpeg1.diff
ffmpeg1.diff (text/plain), 6.68 KB, created by
Sune Kloppenborg Jeppesen (RETIRED)
on 2006-05-16 12:10:20 UTC
(
hide
)
Description:
ffmpeg1.diff
Filename:
MIME Type:
Creator:
Sune Kloppenborg Jeppesen (RETIRED)
Created:
2006-05-16 12:10:20 UTC
Size:
6.68 KB
patch
obsolete
>Update of /cvsroot/ffmpeg/ffmpeg/libavcodec >In directory mail:/var2/tmp/cvs-serv6233 > >Modified Files: > 4xm.c alac.c cook.c shorten.c smacker.c snow.c tta.c >Log Message: >sanity checks, some might have been exploitable ... > > >Index: 4xm.c >=================================================================== >RCS file: /cvsroot/ffmpeg/ffmpeg/libavcodec/4xm.c,v >retrieving revision 1.20 >retrieving revision 1.21 >diff -u -d -r1.20 -r1.21 >--- 4xm.c 5 Feb 2006 13:35:16 -0000 1.20 >+++ 4xm.c 13 May 2006 10:45:25 -0000 1.21 >@@ -606,7 +606,7 @@ > int i, frame_4cc, frame_size; > > frame_4cc= get32(buf); >- if(buf_size != get32(buf+4)+8){ >+ if(buf_size != get32(buf+4)+8 || buf_size < 20){ > av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, get32(buf+4)); > } > >@@ -634,6 +634,10 @@ > cfrm= &f->cfrm[i]; > > cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE); >+ if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL >+ av_log(f->avctx, AV_LOG_ERROR, "realloc falure"); >+ return -1; >+ } > > memcpy(cfrm->data + cfrm->size, buf+20, data_size); > cfrm->size += data_size; > >Index: alac.c >=================================================================== >RCS file: /cvsroot/ffmpeg/ffmpeg/libavcodec/alac.c,v >retrieving revision 1.11 >retrieving revision 1.12 >diff -u -d -r1.11 -r1.12 >--- alac.c 10 May 2006 11:59:09 -0000 1.11 >+++ alac.c 13 May 2006 10:45:25 -0000 1.12 >@@ -100,7 +100,7 @@ > alac->outputsamples_buffer_b = av_malloc(alac->setinfo_max_samples_per_frame * 4); > } > >-static void alac_set_info(ALACContext *alac) >+static int alac_set_info(ALACContext *alac) > { > unsigned char *ptr = alac->avctx->extradata; > >@@ -108,6 +108,10 @@ > ptr += 4; /* alac */ > ptr += 4; /* 0 ? */ > >+ if(BE_32(ptr) >= UINT_MAX/4){ >+ av_log(alac->avctx, AV_LOG_ERROR, "setinfo_max_samples_per_frame too large\n"); >+ return -1; >+ } > alac->setinfo_max_samples_per_frame = BE_32(ptr); /* buffer size / 2 ? */ > ptr += 4; > alac->setinfo_7a = *ptr++; >@@ -126,6 +130,8 @@ > ptr += 4; > > allocate_buffers(alac); >+ >+ return 0; > } > > /* hideously inefficient. could use a bitmask search, > >Index: cook.c >=================================================================== >RCS file: /cvsroot/ffmpeg/ffmpeg/libavcodec/cook.c,v >retrieving revision 1.9 >retrieving revision 1.10 >diff -u -d -r1.9 -r1.10 >--- cook.c 10 Feb 2006 11:59:38 -0000 1.9 >+++ cook.c 13 May 2006 10:45:25 -0000 1.10 >@@ -1253,6 +1253,10 @@ > if (init_cook_vlc_tables(q) != 0) > return -1; > >+ >+ if(avctx->block_align >= UINT_MAX/2) >+ return -1; >+ > /* Pad the databuffer with FF_INPUT_BUFFER_PADDING_SIZE, > this is for the bitstreamreader. */ > if ((q->decoded_bytes_buffer = av_mallocz((avctx->block_align+(4-avctx->block_align%4) + FF_INPUT_BUFFER_PADDING_SIZE)*sizeof(uint8_t))) == NULL) > >Index: shorten.c >=================================================================== >RCS file: /cvsroot/ffmpeg/ffmpeg/libavcodec/shorten.c,v >retrieving revision 1.3 >retrieving revision 1.4 >diff -u -d -r1.3 -r1.4 >--- shorten.c 25 Jan 2006 22:10:12 -0000 1.3 >+++ shorten.c 13 May 2006 10:45:25 -0000 1.4 >@@ -106,18 +106,27 @@ > return 0; > } > >-static void allocate_buffers(ShortenContext *s) >+static int allocate_buffers(ShortenContext *s) > { > int i, chan; > for (chan=0; chan<s->channels; chan++) { >+ if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){ >+ av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n"); >+ return -1; >+ } >+ if(s->blocksize + s->nwrap >= UINT_MAX/sizeof(int32_t) || s->blocksize + s->nwrap <= (unsigned)s->nwrap){ >+ av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n"); >+ return -1; >+ } >+ > s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean)); > > s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); > for (i=0; i<s->nwrap; i++) > s->decoded[chan][i] = 0; > s->decoded[chan] += s->nwrap; >- > } >+ return 0; > } > > > >Index: smacker.c >=================================================================== >RCS file: /cvsroot/ffmpeg/ffmpeg/libavcodec/smacker.c,v >retrieving revision 1.2 >retrieving revision 1.3 >diff -u -d -r1.2 -r1.3 >--- smacker.c 25 Mar 2006 15:37:08 -0000 1.2 >+++ smacker.c 13 May 2006 10:45:25 -0000 1.3 >@@ -177,6 +177,11 @@ > int escapes[3]; > DBCtx ctx; > >+ if(size >= UINT_MAX>>4){ // (((size + 3) >> 2) + 3) << 2 must not overflow >+ av_log(smk->avctx, AV_LOG_ERROR, "size too large\n"); >+ return -1; >+ } >+ > tmp1.length = 256; > tmp1.maxlength = 0; > tmp1.current = 0; > >Index: snow.c >=================================================================== >RCS file: /cvsroot/ffmpeg/ffmpeg/libavcodec/snow.c,v >retrieving revision 1.94 >retrieving revision 1.95 >diff -u -d -r1.94 -r1.95 >--- snow.c 20 Mar 2006 05:52:23 -0000 1.94 >+++ snow.c 13 May 2006 10:45:25 -0000 1.95 >@@ -3712,7 +3712,7 @@ > s->mv_scale= get_symbol(&s->c, s->header_state, 0); > s->qbias= get_symbol(&s->c, s->header_state, 1); > s->block_max_depth= get_symbol(&s->c, s->header_state, 0); >- if(s->block_max_depth > 1){ >+ if(s->block_max_depth > 1 || s->block_max_depth < 0){ > av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large", s->block_max_depth); > s->block_max_depth= 0; > return -1; > >Index: tta.c >=================================================================== >RCS file: /cvsroot/ffmpeg/ffmpeg/libavcodec/tta.c,v >retrieving revision 1.2 >retrieving revision 1.3 >diff -u -d -r1.2 -r1.3 >--- tta.c 27 Feb 2006 12:17:20 -0000 1.2 >+++ tta.c 13 May 2006 10:45:26 -0000 1.3 >@@ -238,6 +238,10 @@ > avctx->bits_per_sample = get_le16(&s->gb); > s->bps = (avctx->bits_per_sample + 7) / 8; > avctx->sample_rate = get_le32(&s->gb); >+ if(avctx->sample_rate > 1000000){ //prevent FRAME_TIME * avctx->sample_rate from overflowing and sanity check >+ av_log(avctx, AV_LOG_ERROR, "sample_rate too large\n"); >+ return -1; >+ } > s->data_length = get_le32(&s->gb); > skip_bits(&s->gb, 32); // CRC32 of header > >@@ -276,6 +280,11 @@ > skip_bits(&s->gb, 32); > skip_bits(&s->gb, 32); // CRC32 of seektable > >+ if(s->frame_length >= UINT_MAX / (s->channels * sizeof(int32_t))){ >+ av_log(avctx, AV_LOG_ERROR, "frame_length too large\n"); >+ return -1; >+ } >+ > s->decode_buffer = av_mallocz(sizeof(int32_t)*s->frame_length*s->channels); > } else { > av_log(avctx, AV_LOG_ERROR, "Wrong extradata present\n"); >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 133520
: 86870 |
86871
|
86872
|
86873