[SCM] ffmpeg/master: Add avcodec-vp8-Do-not-use-num_coeff_partitions-in-thread.patch to fix CVE-2015-6761.

aca-guest at users.alioth.debian.org aca-guest at users.alioth.debian.org
Wed Oct 14 22:59:52 UTC 2015 

The following commit has been merged in the master branch:
commit c6ea53684996dfb018c7d78f0a3bca91ff461e54
Author: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
Date:   Thu Oct 15 00:18:04 2015 +0200

    Add avcodec-vp8-Do-not-use-num_coeff_partitions-in-thread.patch to fix CVE-2015-6761.

diff --git a/debian/patches/avcodec-vp8-Do-not-use-num_coeff_partitions-in-thread.patch b/debian/patches/avcodec-vp8-Do-not-use-num_coeff_partitions-in-thread.patch
new file mode 100644
index 0000000..e262862
--- /dev/null
+++ b/debian/patches/avcodec-vp8-Do-not-use-num_coeff_partitions-in-thread.patch
@@ -0,0 +1,34 @@
+From b46efcb2933c6adc11486104195dcd5054485246 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael at niedermayer.cc>
+Date: Wed, 30 Sep 2015 13:10:48 +0200
+Subject: [PATCH] avcodec/vp8: Do not use num_coeff_partitions in thread/buffer
+ setup
+
+The variable is not a constant and can lead to race conditions
+
+Fixes: repro.webm (not reproducable with FFmpeg alone)
+
+Found-by: Dale Curtis <dalecurtis at google.com>
+Tested-by: Dale Curtis <dalecurtis at google.com>
+Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
+(cherry picked from commit dabea74d0e82ea80cd344f630497cafcb3ef872c)
+---
+ libavcodec/vp8.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c
+index 730871a..cb0c7cd 100644
+--- a/libavcodec/vp8.c
++++ b/libavcodec/vp8.c
+@@ -164,7 +164,7 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7)
+     s->mb_height = (s->avctx->coded_height + 15) / 16;
+ 
+     s->mb_layout = is_vp7 || avctx->active_thread_type == FF_THREAD_SLICE &&
+-                   FFMIN(s->num_coeff_partitions, avctx->thread_count) > 1;
++                   avctx->thread_count > 1;
+     if (!s->mb_layout) { // Frame threading and one thread
+         s->macroblocks_base       = av_mallocz((s->mb_width + s->mb_height * 2 + 1) *
+                                                sizeof(*s->macroblocks));
+-- 
+2.6.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 0783efa..2eeae7b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 Change-symbol-versioning.patch
+avcodec-vp8-Do-not-use-num_coeff_partitions-in-thread.patch

-- 
ffmpeg packaging

More information about the pkg-multimedia-commits mailing list