r1307 - in /unstable/ffmpeg/debian: ./ changelog patches/020_bug489965_bufferoverflow_str_demuxer.diff patches/series
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Wed Jul 9 07:55:27 UTC 2008
Author: siretart
Date: Wed Jul 9 07:55:26 2008
New Revision: 1307
URL: http://svn.debian.org/wsvn/pkg-multimedia/?sc=1&rev=1307
Log:
* Add patch 020_bug489965_bufferoverflow_str_demuxer.diff. Fixes a
buffer overflow in the STR demuxer. Thanks to Moritz Muehlenhoff for
reporting the issue. (Closes: #489965)
* Raising severity to high because of security issue.
Added:
unstable/ffmpeg/debian/patches/020_bug489965_bufferoverflow_str_demuxer.diff
Modified:
unstable/ffmpeg/debian/ (props changed)
unstable/ffmpeg/debian/changelog
unstable/ffmpeg/debian/patches/series
Propchange: unstable/ffmpeg/debian/
------------------------------------------------------------------------------
--- bzr:file-ids (original)
+++ bzr:file-ids Wed Jul 9 07:55:26 2008
@@ -1,0 +1,1 @@
+patches/020_bug489965_bufferoverflow_str_demuxer.diff 020_bug489965_buffer-20080709075053-htd03e50ze13kewl-1
Propchange: unstable/ffmpeg/debian/
------------------------------------------------------------------------------
--- bzr:revision-id:v3-single1-dW5zdGFibGUvZmZtcGVnL2RlYmlhbg.. (original)
+++ bzr:revision-id:v3-single1-dW5zdGFibGUvZmZtcGVnL2RlYmlhbg.. Wed Jul 9 07:55:26 2008
@@ -43,3 +43,4 @@
77 siretart at tauware.de-20080707153732-3yyo2ff3yb2c1oms
78 siretart at tauware.de-20080708125428-7jvyke7mw1daxqbj
79 siretart at tauware.de-20080708125447-yacvth4x5njytrip
+80 siretart at tauware.de-20080709075516-hffgk4qdf523wk8o
Propchange: unstable/ffmpeg/debian/
------------------------------------------------------------------------------
--- bzr:revision-info (original)
+++ bzr:revision-info Wed Jul 9 07:55:26 2008
@@ -1,4 +1,4 @@
-timestamp: 2008-07-08 14:54:47.443000078 +0200
+timestamp: 2008-07-09 09:55:16.184000015 +0200
committer: Reinhard Tartler <siretart at tauware.de>
properties:
branch-nick: unstable
Modified: unstable/ffmpeg/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/ffmpeg/debian/changelog?rev=1307&op=diff
==============================================================================
--- unstable/ffmpeg/debian/changelog (original)
+++ unstable/ffmpeg/debian/changelog Wed Jul 9 07:55:26 2008
@@ -1,4 +1,4 @@
-ffmpeg-debian (0.svn20080206-10) UNRELEASED; urgency=low
+ffmpeg-debian (0.svn20080206-10) UNRELEASED; urgency=high
* enable mmx and sse3 in builds. These CPU features are autodetected
at runtime on amd64 and i386 using the 'cpuid' instrcution.
@@ -6,8 +6,12 @@
* disable support for liba52-dev. ffmpeg has its own implementation.
* don't add -fPIC -DPIC forcefully to ./configure. upstream claim that
the configure script gets this right on all architectures itself.
-
- -- Reinhard Tartler <siretart at tauware.de> Mon, 07 Jul 2008 16:31:39 +0200
+ * Add patch 020_bug489965_bufferoverflow_str_demuxer.diff. Fixes a
+ buffer overflow in the STR demuxer. Thanks to Moritz Muehlenhoff for
+ reporting the issue. (Closes: #489965)
+ * Raising severity to high because of security issue.
+
+ -- Reinhard Tartler <siretart at tauware.de> Wed, 09 Jul 2008 09:54:52 +0200
ffmpeg-debian (0.svn20080206-9) unstable; urgency=low
Added: unstable/ffmpeg/debian/patches/020_bug489965_bufferoverflow_str_demuxer.diff
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/ffmpeg/debian/patches/020_bug489965_bufferoverflow_str_demuxer.diff?rev=1307&op=file
==============================================================================
--- unstable/ffmpeg/debian/patches/020_bug489965_bufferoverflow_str_demuxer.diff (added)
+++ unstable/ffmpeg/debian/patches/020_bug489965_bufferoverflow_str_demuxer.diff Wed Jul 9 07:55:26 2008
@@ -1,0 +1,76 @@
+From: Moritz Muehlenhoff <jmm at debian.org>
+Subject: Bug#489965: libavformat52: Buffer overflow in STR demuxer
+To: Debian Bug Tracking System <submit at bugs.debian.org>
+Date: Wed, 09 Jul 2008 01:08:43 +0200
+Resent-From: Moritz Muehlenhoff <jmm at debian.org>
+Reply-To: Moritz Muehlenhoff <jmm at debian.org>, 489965 at bugs.debian.org
+
+Package: libavformat52
+Version: 0.svn20080206-9
+Severity: grave
+Tags: security
+Justification: user security hole
+
+I noticed the following issue when browsing ffmpeg commit logs:
+
+http://svn.mplayerhq.hu/ffmpeg?view=rev&revision=13993
+https://roundup.mplayerhq.hu/roundup/ffmpeg/issue311
+
+
+
+
+
+The following patch is taken from upstream svn, revision 13993.
+
+--- a/libavformat/psxstr.c
++++ b/libavformat/psxstr.c
+@@ -276,12 +276,23 @@ static int str_read_packet(AVFormatConte
+ int current_sector = AV_RL16(§or[0x1C]);
+ int sector_count = AV_RL16(§or[0x1E]);
+ int frame_size = AV_RL32(§or[0x24]);
+- int bytes_to_copy;
++
++ if(!( frame_size>=0
++ && current_sector < sector_count
++ && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){
++ av_log(s, AV_LOG_ERROR, "Invalid parameters %d %d %d\n", current_sector, sector_count, frame_size);
++ return AVERROR_INVALIDDATA;
++ }
++
+ // printf("%d %d %d\n",current_sector,sector_count,frame_size);
+ /* if this is the first sector of the frame, allocate a pkt */
+ pkt = &str->tmp_pkt;
+- if (current_sector == 0) {
+- if (av_new_packet(pkt, frame_size))
++
++ if(pkt->size != sector_count*VIDEO_DATA_CHUNK_SIZE){
++ if(pkt->data)
++ av_log(s, AV_LOG_ERROR, "missmatching sector_count\n");
++ av_free_packet(pkt);
++ if (av_new_packet(pkt, sector_count*VIDEO_DATA_CHUNK_SIZE))
+ return AVERROR(EIO);
+
+ pkt->pos= url_ftell(pb) - RAW_CD_SECTOR_SIZE;
+@@ -295,15 +306,15 @@ static int str_read_packet(AVFormatConte
+ str->pts += (90000 / 15);
+ }
+
+- /* load all the constituent chunks in the video packet */
+- bytes_to_copy = frame_size - current_sector*VIDEO_DATA_CHUNK_SIZE;
+- if (bytes_to_copy>0) {
+- if (bytes_to_copy>VIDEO_DATA_CHUNK_SIZE) bytes_to_copy=VIDEO_DATA_CHUNK_SIZE;
+- memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE,
+- sector + VIDEO_DATA_HEADER_SIZE, bytes_to_copy);
+- }
++ memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE,
++ sector + VIDEO_DATA_HEADER_SIZE,
++ VIDEO_DATA_CHUNK_SIZE);
++
+ if (current_sector == sector_count-1) {
++ pkt->size= frame_size;
+ *ret_pkt = *pkt;
++ pkt->data= NULL;
++ pkt->size= -1;
+ return 0;
+ }
+
Modified: unstable/ffmpeg/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/ffmpeg/debian/patches/series?rev=1307&op=diff
==============================================================================
--- unstable/ffmpeg/debian/patches/series (original)
+++ unstable/ffmpeg/debian/patches/series Wed Jul 9 07:55:26 2008
@@ -2,5 +2,6 @@
013_strip_unneeded_linker_flags.diff
015_reenable-img_convert.diff
020_fix_libswscale_pic_code
+020_bug489965_bufferoverflow_str_demuxer.diff
300_c++_compliant_headers.diff
900_doxyfile
More information about the pkg-multimedia-commits
mailing list