[SCM] FFmpeg packaging branch, ubuntu.karmic, updated. debian/0.5+svn20090706-1ubuntu3-38-gb589a5c
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Fri Oct 30 22:32:27 UTC 2009
The following commit has been merged in the ubuntu.karmic branch:
commit 0544db98175c7ef53f42ad7a315bdf999a67d80d
Author: Reinhard Tartler <siretart at tauware.de>
Date: Fri Oct 30 23:29:03 2009 +0100
backported libavformat/mov.c security fixes
thanks to Marc Deslauriers <marc.deslauriers at canonical.com> for
identifying the following chrome issues in the ffmpeg svn:
09_mov_stsz_int_oflow.patch:
32_mov_stream_index.patch:
diff --git a/debian/patches/security/mov/0001-check-entries-against-field_size-potential-malloc-ov.patch b/debian/patches/security/mov/0001-check-entries-against-field_size-potential-malloc-ov.patch
new file mode 100644
index 0000000..db8c38e
--- /dev/null
+++ b/debian/patches/security/mov/0001-check-entries-against-field_size-potential-malloc-ov.patch
@@ -0,0 +1,26 @@
+From 59a7d76f26091bb379e41e546c561d6987b2df3b Mon Sep 17 00:00:00 2001
+From: bcoudurier <bcoudurier at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Mon, 7 Sep 2009 22:42:51 +0000
+Subject: [PATCH] check entries against field_size, potential malloc overflow in read_stsz, fix #1357
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19793 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavformat/mov.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/libavformat/mov.c b/libavformat/mov.c
+index 5f11ebe..05fdfa3 100644
+--- a/libavformat/mov.c
++++ b/libavformat/mov.c
+@@ -1256,7 +1256,7 @@ static int mov_read_stsz(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ return -1;
+ }
+
+- if(entries >= UINT_MAX / sizeof(int))
++ if (entries >= UINT_MAX / sizeof(int) || entries >= (UINT_MAX - 4) / field_size)
+ return -1;
+ sc->sample_sizes = av_malloc(entries * sizeof(int));
+ if (!sc->sample_sizes)
+--
+1.6.3.3
+
diff --git a/debian/patches/security/mov/0002-add-one-missing-check-for-stream-existence-in-read_e.patch b/debian/patches/security/mov/0002-add-one-missing-check-for-stream-existence-in-read_e.patch
new file mode 100644
index 0000000..8fbe248
--- /dev/null
+++ b/debian/patches/security/mov/0002-add-one-missing-check-for-stream-existence-in-read_e.patch
@@ -0,0 +1,32 @@
+From b601744633167a1b37bc171d298872d57522400e Mon Sep 17 00:00:00 2001
+From: bcoudurier <bcoudurier at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Mon, 7 Sep 2009 22:36:33 +0000
+Subject: [PATCH] add one missing check for stream existence in read_elst, fix #1364
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19792 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavformat/mov.c | 6 +++++-
+ 1 files changed, 5 insertions(+), 1 deletions(-)
+
+diff --git a/libavformat/mov.c b/libavformat/mov.c
+index 74698e0..5f11ebe 100644
+--- a/libavformat/mov.c
++++ b/libavformat/mov.c
+@@ -1905,9 +1905,13 @@ free_and_return:
+ /* edit list atom */
+ static int mov_read_elst(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- MOVStreamContext *sc = c->fc->streams[c->fc->nb_streams-1]->priv_data;
++ MOVStreamContext *sc;
+ int i, edit_count;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ sc = c->fc->streams[c->fc->nb_streams-1]->priv_data;
++
+ get_byte(pb); /* version */
+ get_be24(pb); /* flags */
+ edit_count = get_be32(pb); /* entries */
+--
+1.6.3.3
+
diff --git a/debian/patches/security/mov/0003-check-stream-existence-before-assignment-fix-1222.patch b/debian/patches/security/mov/0003-check-stream-existence-before-assignment-fix-1222.patch
new file mode 100644
index 0000000..67f5959
--- /dev/null
+++ b/debian/patches/security/mov/0003-check-stream-existence-before-assignment-fix-1222.patch
@@ -0,0 +1,285 @@
+From 83b7e34ccb8f63f24d91dfc4dd89a4971f36ce12 Mon Sep 17 00:00:00 2001
+From: bcoudurier <bcoudurier at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 24 Jun 2009 03:38:47 +0000
+Subject: [PATCH] check stream existence before assignment, fix #1222
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19259 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavformat/mov.c | 136 +++++++++++++++++++++++++++++++++++++++++-----------
+ 1 files changed, 107 insertions(+), 29 deletions(-)
+
+--- a/libavformat/mov.c
++++ b/libavformat/mov.c
+@@ -238,10 +238,15 @@ static int mov_read_default(MOVContext *
+
+ static int mov_read_dref(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- MOVStreamContext *sc = st->priv_data;
++ AVStream *st;
++ MOVStreamContext *sc;
+ int entries, i, j;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++ sc = st->priv_data;
++
+ get_be32(pb); // version + flags
+ entries = get_be32(pb);
+ if (entries >= UINT_MAX / sizeof(*sc->drefs))
+@@ -381,9 +386,13 @@ static const AVCodecTag mp4_audio_types[
+
+ static int mov_read_esds(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
++ AVStream *st;
+ int tag, len;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++
+ get_be32(pb); /* version + flags */
+ len = mp4_read_descr(c, pb, &tag);
+ if (tag == MP4ESDescrTag) {
+@@ -440,7 +449,12 @@ static int mov_read_pasp(MOVContext *c,
+ {
+ const int num = get_be32(pb);
+ const int den = get_be32(pb);
+- AVStream * const st = c->fc->streams[c->fc->nb_streams-1];
++ AVStream *st;
++
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++
+ if (den != 0) {
+ if ((st->sample_aspect_ratio.den != 1 || st->sample_aspect_ratio.num) && // default
+ (den != st->sample_aspect_ratio.den || num != st->sample_aspect_ratio.num))
+@@ -494,12 +508,18 @@ static int mov_read_moof(MOVContext *c,
+
+ static int mov_read_mdhd(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- MOVStreamContext *sc = st->priv_data;
+- int version = get_byte(pb);
++ AVStream *st;
++ MOVStreamContext *sc;
++ int version;
+ char language[4] = {0};
+ unsigned lang;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++ sc = st->priv_data;
++
++ version = get_byte(pb);
+ if (version > 1)
+ return -1; /* unsupported */
+
+@@ -561,7 +581,11 @@ static int mov_read_mvhd(MOVContext *c,
+
+ static int mov_read_smi(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
++ AVStream *st;
++
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
+
+ if((uint64_t)atom.size > (1<<30))
+ return -1;
+@@ -581,9 +605,14 @@ static int mov_read_smi(MOVContext *c, B
+
+ static int mov_read_enda(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- int little_endian = get_be16(pb);
++ AVStream *st;
++ int little_endian;
++
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
+
++ little_endian = get_be16(pb);
+ dprintf(c->fc, "enda %d\n", little_endian);
+ if (little_endian == 1) {
+ switch (st->codec->codec_id) {
+@@ -633,7 +662,11 @@ static int mov_read_extradata(MOVContext
+
+ static int mov_read_wave(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
++ AVStream *st;
++
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
+
+ if((uint64_t)atom.size > (1<<30))
+ return -1;
+@@ -660,7 +693,11 @@ static int mov_read_wave(MOVContext *c,
+ */
+ static int mov_read_glbl(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
++ AVStream *st;
++
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
+
+ if((uint64_t)atom.size > (1<<30))
+ return -1;
+@@ -676,10 +713,15 @@ static int mov_read_glbl(MOVContext *c,
+
+ static int mov_read_stco(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- MOVStreamContext *sc = st->priv_data;
++ AVStream *st;
++ MOVStreamContext *sc;
+ unsigned int i, entries;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++ sc = st->priv_data;
++
+ get_byte(pb); /* version */
+ get_be24(pb); /* flags */
+
+@@ -742,10 +784,15 @@ static enum CodecID mov_get_lpcm_codec_i
+
+ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- MOVStreamContext *sc = st->priv_data;
++ AVStream *st;
++ MOVStreamContext *sc;
+ int j, entries, pseudo_stream_id;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++ sc = st->priv_data;
++
+ get_byte(pb); /* version */
+ get_be24(pb); /* flags */
+
+@@ -1064,10 +1111,15 @@ static int mov_read_stsd(MOVContext *c,
+
+ static int mov_read_stsc(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- MOVStreamContext *sc = st->priv_data;
++ AVStream *st;
++ MOVStreamContext *sc;
+ unsigned int i, entries;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++ sc = st->priv_data;
++
+ get_byte(pb); /* version */
+ get_be24(pb); /* flags */
+
+@@ -1092,10 +1144,15 @@ static int mov_read_stsc(MOVContext *c,
+
+ static int mov_read_stss(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- MOVStreamContext *sc = st->priv_data;
++ AVStream *st;
++ MOVStreamContext *sc;
+ unsigned int i, entries;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++ sc = st->priv_data;
++
+ get_byte(pb); /* version */
+ get_be24(pb); /* flags */
+
+@@ -1119,10 +1176,15 @@ static int mov_read_stss(MOVContext *c,
+
+ static int mov_read_stsz(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- MOVStreamContext *sc = st->priv_data;
++ AVStream *st;
++ MOVStreamContext *sc;
+ unsigned int i, entries, sample_size;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++ sc = st->priv_data;
++
+ get_byte(pb); /* version */
+ get_be24(pb); /* flags */
+
+@@ -1150,12 +1212,17 @@ static int mov_read_stsz(MOVContext *c,
+
+ static int mov_read_stts(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- MOVStreamContext *sc = st->priv_data;
++ AVStream *st;
++ MOVStreamContext *sc;
+ unsigned int i, entries;
+ int64_t duration=0;
+ int64_t total_sample_count=0;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++ sc = st->priv_data;
++
+ get_byte(pb); /* version */
+ get_be24(pb); /* flags */
+ entries = get_be32(pb);
+@@ -1194,10 +1261,15 @@ static int mov_read_stts(MOVContext *c,
+
+ static int mov_read_ctts(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- MOVStreamContext *sc = st->priv_data;
++ AVStream *st;
++ MOVStreamContext *sc;
+ unsigned int i, entries;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++ sc = st->priv_data;
++
+ get_byte(pb); /* version */
+ get_be24(pb); /* flags */
+ entries = get_be32(pb);
+@@ -1504,10 +1576,16 @@ static int mov_read_tkhd(MOVContext *c,
+ int height;
+ int64_t disp_transform[2];
+ int display_matrix[3][2];
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- MOVStreamContext *sc = st->priv_data;
+- int version = get_byte(pb);
++ AVStream *st;
++ MOVStreamContext *sc;
++ int version;
++
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++ sc = st->priv_data;
+
++ version = get_byte(pb);
+ get_be24(pb); /* flags */
+ /*
+ MOV_TRACK_ENABLED 0x0001
diff --git a/debian/patches/series b/debian/patches/series
index c5c0171..ef03d15 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -65,3 +65,8 @@ security/mpegaudiodec/0003-Set-data_size-to-0-to-avoid-having-it-uninitialized.p
# h264 security backports
security/h264/0001-Check-num_units_in_tick-time_scale-to-be-valid-and-w.patch
+
+# mov security backports
+security/mov/0001-check-entries-against-field_size-potential-malloc-ov.patch
+security/mov/0002-add-one-missing-check-for-stream-existence-in-read_e.patch
+security/mov/0003-check-stream-existence-before-assignment-fix-1222.patch
--
FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list