Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 86873 Details for
Bug 133520
{media-video/ffmpeg|media-libs/xine-lib} multiple issues (CVE-200{5-4048|6-2802})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
ffmpeg4.diff
ffmpeg4.diff (text/plain), 6.08 KB, created by
Sune Kloppenborg Jeppesen (RETIRED)
on 2006-05-16 12:11:36 UTC
(
hide
)
Description:
ffmpeg4.diff
Filename:
MIME Type:
Creator:
Sune Kloppenborg Jeppesen (RETIRED)
Created:
2006-05-16 12:11:36 UTC
Size:
6.08 KB
patch
obsolete
>Update of /cvsroot/ffmpeg/ffmpeg/libavformat >In directory mail:/var2/tmp/cvs-serv21138 > >Modified Files: > rm.c sierravmd.c smacker.c tta.c >Log Message: >sanity checks some might have been exploitable > > >Index: rm.c >=================================================================== >RCS file: /cvsroot/ffmpeg/ffmpeg/libavformat/rm.c,v >retrieving revision 1.57 >retrieving revision 1.58 >diff -u -d -r1.57 -r1.58 >--- rm.c 1 Mar 2006 11:29:55 -0000 1.57 >+++ rm.c 13 May 2006 11:37:56 -0000 1.58 >@@ -555,6 +555,12 @@ > st->codec->extradata_size= 0; > rm->audio_framesize = st->codec->block_align; > st->codec->block_align = coded_framesize; >+ >+ if(rm->audio_framesize >= UINT_MAX / sub_packet_h){ >+ av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h too large\n"); >+ return -1; >+ } >+ > rm->audiobuf = av_malloc(rm->audio_framesize * sub_packet_h); > } else if (!strcmp(buf, "cook")) { > int codecdata_length, i; >@@ -562,6 +568,11 @@ > if (((version >> 16) & 0xff) == 5) > get_byte(pb); > codecdata_length = get_be32(pb); >+ if(codecdata_length + FF_INPUT_BUFFER_PADDING_SIZE <= (unsigned)codecdata_length){ >+ av_log(s, AV_LOG_ERROR, "codecdata_length too large\n"); >+ return -1; >+ } >+ > st->codec->codec_id = CODEC_ID_COOK; > st->codec->extradata_size= codecdata_length; > st->codec->extradata= av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); >@@ -569,6 +580,12 @@ > ((uint8_t*)st->codec->extradata)[i] = get_byte(pb); > rm->audio_framesize = st->codec->block_align; > st->codec->block_align = rm->sub_packet_size; >+ >+ if(rm->audio_framesize >= UINT_MAX / sub_packet_h){ >+ av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h too large\n"); >+ return -1; >+ } >+ > rm->audiobuf = av_malloc(rm->audio_framesize * sub_packet_h); > } else { > st->codec->codec_id = CODEC_ID_NONE; >@@ -715,6 +732,12 @@ > get_be16(pb); > > st->codec->extradata_size= codec_data_size - (url_ftell(pb) - codec_pos); >+ >+ if(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE <= (unsigned)st->codec->extradata_size){ >+ //check is redundant as get_buffer() will catch this >+ av_log(s, AV_LOG_ERROR, "st->codec->extradata_size too large\n"); >+ return -1; >+ } > st->codec->extradata= av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); > get_buffer(pb, st->codec->extradata, st->codec->extradata_size); > > >Index: sierravmd.c >=================================================================== >RCS file: /cvsroot/ffmpeg/ffmpeg/libavformat/sierravmd.c,v >retrieving revision 1.15 >retrieving revision 1.16 >diff -u -d -r1.15 -r1.16 >--- sierravmd.c 11 Mar 2006 04:27:58 -0000 1.15 >+++ sierravmd.c 13 May 2006 11:37:56 -0000 1.16 >@@ -196,6 +196,10 @@ > vmd->frame_table = NULL; > raw_frame_table_size = vmd->frame_count * 6; > raw_frame_table = av_malloc(raw_frame_table_size); >+ if(vmd->frame_count * vmd->frames_per_block >= UINT_MAX / sizeof(vmd_frame_t)){ >+ av_log(s, AV_LOG_ERROR, "vmd->frame_count * vmd->frames_per_block too large\n"); >+ return -1; >+ } > vmd->frame_table = av_malloc(vmd->frame_count * vmd->frames_per_block * sizeof(vmd_frame_t)); > if (!raw_frame_table || !vmd->frame_table) { > av_free(raw_frame_table); > >Index: smacker.c >=================================================================== >RCS file: /cvsroot/ffmpeg/ffmpeg/libavformat/smacker.c,v >retrieving revision 1.1 >retrieving revision 1.2 >diff -u -d -r1.1 -r1.2 >--- smacker.c 21 Mar 2006 17:27:47 -0000 1.1 >+++ smacker.c 13 May 2006 11:37:56 -0000 1.2 >@@ -114,6 +114,13 @@ > for(i = 0; i < 7; i++) > smk->audio[i] = get_le32(pb); > smk->treesize = get_le32(pb); >+ >+ if(smk->treesize >= UINT_MAX/4){ // smk->treesize + 16 must not overflow (this check is probably redundant) >+ av_log(s, AV_LOG_ERROR, "treesize too large\n"); >+ return -1; >+ } >+ >+//FIXME remove extradata "rebuilding" > smk->mmap_size = get_le32(pb); > smk->mclr_size = get_le32(pb); > smk->full_size = get_le32(pb); > >Index: tta.c >=================================================================== >RCS file: /cvsroot/ffmpeg/ffmpeg/libavformat/tta.c,v >retrieving revision 1.2 >retrieving revision 1.3 >diff -u -d -r1.2 -r1.3 >--- tta.c 13 Feb 2006 12:05:06 -0000 1.2 >+++ tta.c 13 May 2006 11:37:56 -0000 1.3 >@@ -50,13 +50,27 @@ > channels = get_le16(&s->pb); > bps = get_le16(&s->pb); > samplerate = get_le32(&s->pb); >+ if(samplerate <= 0 || samplerate > 1000000){ >+ av_log(s, AV_LOG_ERROR, "nonsense samplerate\n"); >+ return -1; >+ } >+ > datalen = get_le32(&s->pb); >+ if(datalen < 0){ >+ av_log(s, AV_LOG_ERROR, "nonsense datalen\n"); >+ return -1; >+ } >+ > url_fskip(&s->pb, 4); // header crc > > framelen = 1.04489795918367346939 * samplerate; > c->totalframes = datalen / framelen + ((datalen % framelen) ? 1 : 0); > c->currentframe = 0; > >+ if(c->totalframes >= UINT_MAX/sizeof(uint32_t)){ >+ av_log(s, AV_LOG_ERROR, "totalframes too large\n"); >+ return -1; >+ } > c->seektable = av_mallocz(sizeof(uint32_t)*c->totalframes); > if (!c->seektable) > return AVERROR_NOMEM; >@@ -76,6 +90,11 @@ > st->codec->bits_per_sample = bps; > > st->codec->extradata_size = url_ftell(&s->pb) - start; >+ if(st->codec->extradata_size+FF_INPUT_BUFFER_PADDING_SIZE <= (unsigned)st->codec->extradata_size){ >+ //this check is redundant as get_buffer should fail >+ av_log(s, AV_LOG_ERROR, "extradata_size too large\n"); >+ return -1; >+ } > st->codec->extradata = av_mallocz(st->codec->extradata_size+FF_INPUT_BUFFER_PADDING_SIZE); > url_fseek(&s->pb, start, SEEK_SET); // or SEEK_CUR and -size ? :) > get_buffer(&s->pb, st->codec->extradata, st->codec->extradata_size); >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 133520
:
86870
|
86871
|
86872
| 86873