Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 29 Apr 2016 11:08:51 -0400 (EDT)
From: cve-assign@...re.org
To: gustavo.grieco@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Mplayer/Mencoder integer overflow parsing gif files

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> A crash caused by an integer overflow parsing a gif was found in the last
> revision of mplayer. It seems to affect older versions too. It was recently
> fixed (r37857). Technical details and a reproducer are available here:
> 
> https://trac.mplayerhq.hu/ticket/2295
> 
> I verified that this issue affects mencoder

>> Fixed in r37857.
>> 
>> The gif demuxes assumes in many places that width*height is <=
>> INT_MAX; this is not true with the sample. Fixed by validating the
>> picture size.

Use CVE-2016-4352.

This code was added to libmpdemux/demux_gif.c between r37856 and r37857:

   // Validate image size, most code in this demuxer assumes w*h <= INT_MAX
   if ((int64_t)gif->SWidth * gif->SHeight > INT_MAX) {
     mp_msg(MSGT_DEMUX, MSGL_ERR,
            "[demux_gif] Unsupported picture size %dx%d.\n", gif->SWidth,
            gif->SHeight);
     if (DGifCloseFile(gif) == GIF_ERROR)
       print_gif_error(NULL);
     free(priv);
     return NULL;
   }

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXI3iYAAoJEHb/MwWLVhi2ndcQAIfNBWzI+O+D90r31xFgzNHh
q5AYsp+VN48Z6f8Ctp6AVXWoD+I/KHC1AIBc5Pn9/ahDyQ+cv9ejMdizkohu7TpW
q4vfeCsmp94pw2w8tKbT4wgI19mdERvWiFe03SD/1xpxaHc6gIZN4+zwmswyIJVq
9UVl6cEbSD/NGDpudTwqNH2Tc6KPfpUTPDh05nHhdEYkoPepemS0E6dHZl0cnV38
qFAF7EvF4h+1pQSfchVdtf58nPu5g7tuR7eudnqnq9g49PZlIOPBKB/cdra7ZON7
eFvZp+0XZ3QtwvDiQ18uAHnobN2RdnonISfimOsd7zYDyoxtAttfOvBRaVRDtTBr
U0hfDRA8g/d5JTmeLMcfm1NWG3+0nF90BVYjY7cziAVBAGoj17fo66mw6nM5Jn2A
1T/9Cc/gqzIvlGlVQk/3KObdK0DbZvGxgFxo8pKTzrRo/thAS6Rp30X672pfGH1W
DxWhbkJgnU+PmaW+86zrWsnHGqoX++bduSIxo/Y1jjigwetaTgCRHO6nFI0onWex
dP0z76DjZ4jBAs7GzsFkv3ck/ZfaQ6MxjXjcR1yYZFeTp3WlD3VIZVuZwohg78wo
IR/5QOoQjwoV5nbgH3l2f0h2pvrCJPvQiwbADzZJpklpg45D2Y8EIMtOQy64hZSz
2kFgy6oWuYKbuQf49Wi4
=oaGW
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ