Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 03 May 2012 12:53:23 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: oss-security <oss-security@...ts.openwall.com>
Cc: Michael Niedermayer <michaelni@....at>, 
	Måns Rullgård
	 <mans@...sr.com>, fabian.yamaguchi@...uni-goettingen.de
Subject: Security issue in libav/ffmpeg

A heap corruption security bug[1] was reported by Fabian Yamaguchi
against libav in Ubuntu. This issue also affected ffmpeg.

This issue is now public and has been assigned CVE-2012-0947.

Attached is a patch from upstream libav to fix the issue (thanks to Måns
Rullgård). While the issue also affected ffmpeg, upstream ffmpeg fixed
this some time ago in 3583c8706df0abbfa3ecdd6730f4f3d72a01fe6d.

[1] https://launchpad.net/bugs/980963

-- 
Jamie Strandboge             | http://www.canonical.com

From 6b06666caa7fadcb2a2ae33833af840bb2201694 Mon Sep 17 00:00:00 2001
From: Mans Rullgard <mans@...sr.com>
Date: Mon, 23 Apr 2012 13:16:33 +0100
Subject: [PATCH] vqavideo: return error if image size is not a multiple of
 block size

The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes.  Bailing out early if the header
specifies a bad size avoids various errors later on.

Signed-off-by: Mans Rullgard <mans@...sr.com>
---
 libavcodec/vqavideo.c |    6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index 3c9fbed..1bad226 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -151,6 +151,12 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx)
         return -1;
     }
 
+    if (s->width  & (s->vector_width  - 1) ||
+        s->height & (s->vector_height - 1)) {
+        av_log(avctx, AV_LOG_ERROR, "Image size not multiple of block size\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     /* allocate codebooks */
     s->codebook_size = MAX_CODEBOOK_SIZE;
     s->codebook = av_malloc(s->codebook_size);
-- 
1.7.10


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ