r1307 - in /unstable/ffmpeg/debian: ./ changelog patches/020_bug489965_bufferoverflow_str_demuxer.diff patches/series

siretart at users.alioth.debian.org siretart at users.alioth.debian.org
Wed Jul 9 07:55:27 UTC 2008 

Author: siretart
Date: Wed Jul  9 07:55:26 2008
New Revision: 1307

URL: http://svn.debian.org/wsvn/pkg-multimedia/?sc=1&rev=1307
Log:
* Add patch 020_bug489965_bufferoverflow_str_demuxer.diff. Fixes a
  buffer overflow in the STR demuxer. Thanks to Moritz Muehlenhoff for
  reporting the issue. (Closes: #489965)
* Raising severity to high because of security issue.

Added:
    unstable/ffmpeg/debian/patches/020_bug489965_bufferoverflow_str_demuxer.diff
Modified:
    unstable/ffmpeg/debian/   (props changed)
    unstable/ffmpeg/debian/changelog
    unstable/ffmpeg/debian/patches/series

Propchange: unstable/ffmpeg/debian/
------------------------------------------------------------------------------
--- bzr:file-ids (original)
+++ bzr:file-ids Wed Jul  9 07:55:26 2008
@@ -1,0 +1,1 @@
+patches/020_bug489965_bufferoverflow_str_demuxer.diff	020_bug489965_buffer-20080709075053-htd03e50ze13kewl-1

Propchange: unstable/ffmpeg/debian/
------------------------------------------------------------------------------
--- bzr:revision-id:v3-single1-dW5zdGFibGUvZmZtcGVnL2RlYmlhbg.. (original)
+++ bzr:revision-id:v3-single1-dW5zdGFibGUvZmZtcGVnL2RlYmlhbg.. Wed Jul  9 07:55:26 2008
@@ -43,3 +43,4 @@
 77 siretart at tauware.de-20080707153732-3yyo2ff3yb2c1oms
 78 siretart at tauware.de-20080708125428-7jvyke7mw1daxqbj
 79 siretart at tauware.de-20080708125447-yacvth4x5njytrip
+80 siretart at tauware.de-20080709075516-hffgk4qdf523wk8o

Propchange: unstable/ffmpeg/debian/
------------------------------------------------------------------------------
--- bzr:revision-info (original)
+++ bzr:revision-info Wed Jul  9 07:55:26 2008
@@ -1,4 +1,4 @@
-timestamp: 2008-07-08 14:54:47.443000078 +0200
+timestamp: 2008-07-09 09:55:16.184000015 +0200
 committer: Reinhard Tartler <siretart at tauware.de>
 properties: 
 	branch-nick: unstable

Modified: unstable/ffmpeg/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/ffmpeg/debian/changelog?rev=1307&op=diff
==============================================================================
--- unstable/ffmpeg/debian/changelog (original)
+++ unstable/ffmpeg/debian/changelog Wed Jul  9 07:55:26 2008
@@ -1,4 +1,4 @@
-ffmpeg-debian (0.svn20080206-10) UNRELEASED; urgency=low
+ffmpeg-debian (0.svn20080206-10) UNRELEASED; urgency=high
 
   * enable mmx and sse3 in builds. These CPU features are autodetected 
     at runtime on amd64 and i386 using the 'cpuid' instrcution.
@@ -6,8 +6,12 @@
   * disable support for liba52-dev. ffmpeg has its own implementation.
   * don't add -fPIC -DPIC forcefully to ./configure. upstream claim that
     the configure script gets this right on all architectures itself.
-
- -- Reinhard Tartler <siretart at tauware.de>  Mon, 07 Jul 2008 16:31:39 +0200
+  * Add patch 020_bug489965_bufferoverflow_str_demuxer.diff. Fixes a
+    buffer overflow in the STR demuxer. Thanks to Moritz Muehlenhoff for
+    reporting the issue. (Closes: #489965)
+  * Raising severity to high because of security issue.
+
+ -- Reinhard Tartler <siretart at tauware.de>  Wed, 09 Jul 2008 09:54:52 +0200
 
 ffmpeg-debian (0.svn20080206-9) unstable; urgency=low
 

Added: unstable/ffmpeg/debian/patches/020_bug489965_bufferoverflow_str_demuxer.diff
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/ffmpeg/debian/patches/020_bug489965_bufferoverflow_str_demuxer.diff?rev=1307&op=file
==============================================================================
--- unstable/ffmpeg/debian/patches/020_bug489965_bufferoverflow_str_demuxer.diff (added)
+++ unstable/ffmpeg/debian/patches/020_bug489965_bufferoverflow_str_demuxer.diff Wed Jul  9 07:55:26 2008
@@ -1,0 +1,76 @@
+From: Moritz Muehlenhoff <jmm at debian.org>
+Subject: Bug#489965: libavformat52: Buffer overflow in STR demuxer
+To: Debian Bug Tracking System <submit at bugs.debian.org>
+Date: Wed, 09 Jul 2008 01:08:43 +0200
+Resent-From: Moritz Muehlenhoff <jmm at debian.org>
+Reply-To: Moritz Muehlenhoff <jmm at debian.org>, 489965 at bugs.debian.org                                                                        
+
+Package: libavformat52
+Version: 0.svn20080206-9
+Severity: grave
+Tags: security
+Justification: user security hole
+
+I noticed the following issue when browsing ffmpeg commit logs:
+
+http://svn.mplayerhq.hu/ffmpeg?view=rev&revision=13993
+https://roundup.mplayerhq.hu/roundup/ffmpeg/issue311
+
+
+
+
+
+The following patch is taken from upstream svn, revision 13993.
+
+--- a/libavformat/psxstr.c
++++ b/libavformat/psxstr.c
+@@ -276,12 +276,23 @@ static int str_read_packet(AVFormatConte
+                 int current_sector = AV_RL16(&sector[0x1C]);
+                 int sector_count   = AV_RL16(&sector[0x1E]);
+                 int frame_size = AV_RL32(&sector[0x24]);
+-                int bytes_to_copy;
++
++                if(!(   frame_size>=0
++                     && current_sector < sector_count
++                     && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){
++                    av_log(s, AV_LOG_ERROR, "Invalid parameters %d %d %d\n", current_sector, sector_count, frame_size);
++                    return AVERROR_INVALIDDATA;
++                }
++
+ //        printf("%d %d %d\n",current_sector,sector_count,frame_size);
+                 /* if this is the first sector of the frame, allocate a pkt */
+                 pkt = &str->tmp_pkt;
+-                if (current_sector == 0) {
+-                    if (av_new_packet(pkt, frame_size))
++
++                if(pkt->size != sector_count*VIDEO_DATA_CHUNK_SIZE){
++                    if(pkt->data)
++                        av_log(s, AV_LOG_ERROR, "missmatching sector_count\n");
++                    av_free_packet(pkt);
++                    if (av_new_packet(pkt, sector_count*VIDEO_DATA_CHUNK_SIZE))
+                         return AVERROR(EIO);
+ 
+                     pkt->pos= url_ftell(pb) - RAW_CD_SECTOR_SIZE;
+@@ -295,15 +306,15 @@ static int str_read_packet(AVFormatConte
+                        str->pts += (90000 / 15);
+                 }
+ 
+-                /* load all the constituent chunks in the video packet */
+-                bytes_to_copy = frame_size - current_sector*VIDEO_DATA_CHUNK_SIZE;
+-                if (bytes_to_copy>0) {
+-                    if (bytes_to_copy>VIDEO_DATA_CHUNK_SIZE) bytes_to_copy=VIDEO_DATA_CHUNK_SIZE;
+-                    memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE,
+-                        sector + VIDEO_DATA_HEADER_SIZE, bytes_to_copy);
+-                }
++                memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE,
++                       sector + VIDEO_DATA_HEADER_SIZE,
++                       VIDEO_DATA_CHUNK_SIZE);
++
+                 if (current_sector == sector_count-1) {
++                    pkt->size= frame_size;
+                     *ret_pkt = *pkt;
++                    pkt->data= NULL;
++                    pkt->size= -1;
+                     return 0;
+                 }
+ 

Modified: unstable/ffmpeg/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/ffmpeg/debian/patches/series?rev=1307&op=diff
==============================================================================
--- unstable/ffmpeg/debian/patches/series (original)
+++ unstable/ffmpeg/debian/patches/series Wed Jul  9 07:55:26 2008
@@ -2,5 +2,6 @@
 013_strip_unneeded_linker_flags.diff
 015_reenable-img_convert.diff
 020_fix_libswscale_pic_code
+020_bug489965_bufferoverflow_str_demuxer.diff
 300_c++_compliant_headers.diff
 900_doxyfile

More information about the pkg-multimedia-commits mailing list