r145 - in unstable/ffmpeg/debian: . patches

lool at alioth.debian.org lool at alioth.debian.org
Wed Mar 14 14:22:12 CET 2007 

Author: lool
Date: 2007-01-24 11:02:43 +0000 (Wed, 24 Jan 2007)
New Revision: 145

Added:
   unstable/ffmpeg/debian/patches/051_asf-misc-security-fixes.diff
Modified:
   unstable/ffmpeg/debian/changelog
   unstable/ffmpeg/debian/patches/series
Log:
* SECURITY: New patch, 051_asf-misc-security-fixes, to properly check
  packet sizes, chunk sizes, and fragment positions; from upstream SVN r7640
  and r7650.

Modified: unstable/ffmpeg/debian/changelog
===================================================================
--- unstable/ffmpeg/debian/changelog	2007-01-24 10:55:27 UTC (rev 144)
+++ unstable/ffmpeg/debian/changelog	2007-01-24 11:02:43 UTC (rev 145)
@@ -8,8 +8,11 @@
   * SECURITY: New patch, 050_h264-misc-security-fixes, to properly check the
     sps and pps ids before use and to check more bitstram values and fix
     potential security holes; from upstream SVN r7585, r7586, and r7591.
+  * SECURITY: New patch, 051_asf-misc-security-fixes, to properly check
+    packet sizes, chunk sizes, and fragment positions; from upstream SVN r7640
+    and r7650.
 
- -- Loic Minier <lool at dooz.org>  Wed, 24 Jan 2007 11:53:08 +0100
+ -- Loic Minier <lool at dooz.org>  Wed, 24 Jan 2007 12:01:12 +0100
 
 ffmpeg (0.cvs20060823-4) unstable; urgency=high
 

Added: unstable/ffmpeg/debian/patches/051_asf-misc-security-fixes.diff
===================================================================
--- unstable/ffmpeg/debian/patches/051_asf-misc-security-fixes.diff	2007-01-24 10:55:27 UTC (rev 144)
+++ unstable/ffmpeg/debian/patches/051_asf-misc-security-fixes.diff	2007-01-24 11:02:43 UTC (rev 145)
@@ -0,0 +1,72 @@
+Index: ffmpeg-0.cvs20060823/libavformat/asf.c
+===================================================================
+--- ffmpeg-0.cvs20060823.orig/libavformat/asf.c	2006-08-17 12:39:28.000000000 +0200
++++ ffmpeg-0.cvs20060823/libavformat/asf.c	2007-01-24 11:58:46.000000000 +0100
+@@ -261,7 +261,8 @@
+                 //       asf_st->ds_data_size, asf_st->ds_span, asf_st->ds_silence_data);
+                 if (asf_st->ds_span > 1) {
+                     if (!asf_st->ds_chunk_size
+-                        || (asf_st->ds_packet_size/asf_st->ds_chunk_size <= 1))
++                        || (asf_st->ds_packet_size/asf_st->ds_chunk_size <= 1)
++                        || asf_st->ds_packet_size % asf_st->ds_chunk_size)
+                         asf_st->ds_span = 0; // disable descrambling
+                 }
+                 switch (st->codec->codec_id) {
+@@ -695,6 +696,14 @@
+         asf->packet_size_left -= asf->packet_frag_size;
+         if (asf->packet_size_left < 0)
+             continue;
++
++        if(   asf->packet_frag_offset >= asf_st->pkt.size
++           || asf->packet_frag_size > asf_st->pkt.size - asf->packet_frag_offset){
++            av_log(s, AV_LOG_ERROR, "packet fragment position invalid %u,%u not in %u\n",
++                asf->packet_frag_offset, asf->packet_frag_size, asf_st->pkt.size);
++            continue;
++        }
++
+         get_buffer(pb, asf_st->pkt.data + asf->packet_frag_offset,
+                    asf->packet_frag_size);
+         asf_st->frag_offset += asf->packet_frag_size;
+@@ -702,6 +711,9 @@
+         if (asf_st->frag_offset == asf_st->pkt.size) {
+             /* return packet */
+             if (asf_st->ds_span > 1) {
++              if(asf_st->pkt.size != asf_st->ds_packet_size * asf_st->ds_span){
++                    av_log(s, AV_LOG_ERROR, "pkt.size != ds_packet_size * ds_span\n");
++              }else{
+                 /* packet descrambling */
+                 char* newdata = av_malloc(asf_st->pkt.size);
+                 if (newdata) {
+@@ -712,6 +724,9 @@
+                         int col = off % asf_st->ds_span;
+                         int idx = row + col * asf_st->ds_packet_size / asf_st->ds_chunk_size;
+                         //printf("off:%d  row:%d  col:%d  idx:%d\n", off, row, col, idx);
++
++                        assert(offset + asf_st->ds_chunk_size <= asf_st->pkt.size);
++                        assert(idx+1 <= asf_st->pkt.size / asf_st->ds_chunk_size);
+                         memcpy(newdata + offset,
+                                asf_st->pkt.data + idx * asf_st->ds_chunk_size,
+                                asf_st->ds_chunk_size);
+@@ -720,6 +735,7 @@
+                     av_free(asf_st->pkt.data);
+                     asf_st->pkt.data = newdata;
+                 }
++              }
+             }
+             asf_st->frag_offset = 0;
+             memcpy(pkt, &asf_st->pkt, sizeof(AVPacket));
+Index: ffmpeg-0.cvs20060823/libavformat/asf.h
+===================================================================
+--- ffmpeg-0.cvs20060823.orig/libavformat/asf.h	2007-01-24 11:58:38.000000000 +0100
++++ ffmpeg-0.cvs20060823/libavformat/asf.h	2007-01-24 11:58:46.000000000 +0100
+@@ -112,8 +112,8 @@
+     int packet_replic_size;
+     int packet_key_frame;
+     int packet_padsize;
+-    int packet_frag_offset;
+-    int packet_frag_size;
++    unsigned int packet_frag_offset;
++    unsigned int packet_frag_size;
+     int packet_frag_timestamp;
+     int packet_multi_size;
+     int packet_obj_size;

Modified: unstable/ffmpeg/debian/patches/series
===================================================================
--- unstable/ffmpeg/debian/patches/series	2007-01-24 10:55:27 UTC (rev 144)
+++ unstable/ffmpeg/debian/patches/series	2007-01-24 11:02:43 UTC (rev 145)
@@ -12,3 +12,4 @@
 030_arm_cpu_detect.diff
 030_arm_workaround.diff
 050_h264-misc-security-fixes.diff
+051_asf-misc-security-fixes.diff

More information about the Pkg-multimedia-commits mailing list