[Bug 1436296] Re: FFmpeg security fixes March 2015
Andreas Cadhalpun
Andreas.Cadhalpun at gmail.com
Sun Apr 19 19:04:32 UTC 2015
In the meanwhile FFmpeg 2.5.6 with some more fixes has been released.
version 2.5.6
- avcodec/atrac3plusdsp: fix on stack alignment
- ac3: validate end in ff_ac3_bit_alloc_calc_mask
- aacpsy: avoid psy_band->threshold becoming NaN
- aasc: return correct buffer size from aasc_decode_frame
- msrledec: use signed pixel_ptr in msrle_decode_pal4
- swresample: Allow reinitialization without ever setting channel layouts (cherry picked from commit 80a28c7509a11114e1aea5b208d56c6646d69c07)
- swresample: Allow reinitialization without ever setting channel counts
- avcodec/h264: Do not fail with randomly truncated VUIs
- avcodec/h264_ps: Move truncation check from VUI to SPS
- avcodec/h264: Be more tolerant to changing pps id between slices
- avcodec/aacdec: Fix storing state before PCE decode
- avcodec/h264: reset the counts in the correct context
- avcodec/h264_slice: Do not reset mb_aff_frame per slice
- avcodec/h264: finish previous slices before switching to single thread mode
- avcodec/h264: Fix race between slices where one overwrites data from the next
- avcodec/h264_refs: Do not set reference to things which do not exist
- avcodec/h264: Fail for invalid mixed IDR / non IDR frames in slice threading mode
- h264: avoid unnecessary calls to get_format
- avcodec/msrledec: restructure msrle_decode_pal4() based on the line number instead of the pixel pointer
I updated the vivid branch on Alioth [1].
It builds fine in a vivid chroot, including build time tests.
Attached is a debdiff from 2.5.4-1.
1: https://anonscm.debian.org/cgit/collab-maint/ffmpeg.git/log/?h=vivid
** Patch added: "2.5.6.diff"
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1436296/+attachment/4379593/+files/2.5.6.diff
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1436296
Title:
FFmpeg security fixes March 2015
Status in ffmpeg package in Ubuntu:
Confirmed
Bug description:
FFmpeg 2.5.5 fixing a number of crashes and other potentially security relevant issues was released.
From the upstream Changelog:
version 2.5.5:
- vp9: make above buffer pointer 32-byte aligned.
- avcodec/dnxhddec: Check that the frame is interlaced before using cur_field
- avformat/mov: Disallow ".." in dref unless use_absolute_path is set
- avformat/mov: Check for string truncation in mov_open_dref()
- avformat/mov: Use sizeof(filename) instead of a literal number
- eac3dec: fix scaling
- ac3_fixed: fix computation of spx_noise_blend
- ac3_fixed: fix out-of-bound read
- ac3dec_fixed: always use the USE_FIXED=1 variant of the AC3DecodeContext
- avcodec/012v: redesign main loop
- avcodec/012v: Check dimensions more completely
- asfenc: fix leaking asf->index_ptr on error
- avcodec/options_table: remove extradata_size from the AVOptions table
- ffmdec: limit the backward seek to the last resync position
- ffmdec: make sure the time base is valid
- ffmdec: fix infinite loop at EOF
- ffmdec: initialize f_cprv, f_stvi and f_stau
- avformat/rm: limit packet size
- avcodec/webp: validate the distance prefix code
- avcodec/rv10: check size of s->mb_width * s->mb_height
- eamad: check for out of bounds read
- mdec: check for out of bounds read
- arm: Suppress tags about used cpu arch and extensions
- aic: Fix decoding files with odd dimensions
- avcodec/tiff: move bpp check to after "end:"
- mxfdec: Fix the error handling for when strftime fails
- avcodec/opusdec: Fix delayed sample value
- avcodec/opusdec: Clear out pointers per packet
- avcodec/utils: Align YUV411 by as much as the other YUV variants
- vp9: fix segmentation map retention with threading enabled.
- webp: ensure that each transform is only used once
- doc/protocols/tcp: fix units of listen_timeout option value, from microseconds to milliseconds
- fix VP9 packet decoder returning 0 instead of the used data size
- avformat/flvenc: check that the codec_tag fits in the available bits
- avcodec/utils: use correct printf specifier in ff_set_sar
- avutil/imgutils: correctly check for negative SAR components
- swscale/utils: clear formatConvBuffer on allocation
- avformat/bit: only accept the g729 codec and 1 channel
- avformat/bit: check that pkt->size is 10 in write_packet
- avformat/adxdec: check avctx->channels for invalid values
- avformat/adxdec: set avctx->channels in adx_read_header
- Fix buffer_size argument to init_put_bits() in multiple encoders.
- mips/acelp_filters: fix incorrect register constraint
- avcodec/hevc_ps: Sanity checks for some log2_* values
- avcodec/zmbv: Check len before reading in decode_frame()
- avcodec/h264: Only reinit quant tables if a new PPS is allowed
- avcodec/snowdec: Fix ref value check
- swscale/utils: More carefully merge and clear coefficients outside the input
- avcodec/a64multienc: Assert that the Packet size does not grow
- avcodec/a64multienc: simplify frame handling code
- avcodec/a64multienc: fix use of uninitialized values in to_meta_with_crop
- avcodec/a64multienc: initialize mc_meta_charset to zero
- avcodec/a64multienc: don't set incorrect packet size
- avcodec/a64multienc: use av_frame_ref instead of copying the frame
- avcodec/x86/mlpdsp_init: Simplify mlp_filter_channel_x86()
- h264: initialize H264Context.avctx in init_thread_copy
- wtvdec: fix integer overflow resulting in errors with large files
- avcodec/gif: fix off by one in column offsetting finding
Since Debian has already the next major upstream version 2.6.1, syncing is probably incompatible with the vivid freeze.
Thus I've created a vivid branch in the git repository on Alioth [1], where I imported 2.5.5.
I'm attaching the debdiff.
I've tested the resulting package using the autopkgtests from 2.6.1-1
and only 2 failures remain of the 4 failures and 7 crashes with 2.5.4.
1: https://anonscm.debian.org/cgit/collab-maint/ffmpeg.git
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1436296/+subscriptions
More information about the Ubuntu-sponsors
mailing list