Date: Wed, 01 Feb 2012 14:56:19 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE Requests for FFmpeg 0.9.1 ================================================ HEAP buffer overflows (10): (write) ae21776207e8a2bbe268e7c9e203f7599dd87ddb lavfi: add missing check in avfilter_filter_samples() Simple case of missing check, there wasnt much using the audio filters so this probably is not practically exploitable 5257743aee0c3982f0079e6553aabc6aa39401d2 ws_snd1: Fix wrong samples count and crash. Simple case of amount written and check mismatching 1f99939a6361e2e6d6788494dd7c682b051c6c34 j2kdec: Fix integer overflow leading to a segfault http://ffmpeg.org/trac/ffmpeg/ticket/776 The check missed negative values, j2k is marked as experimental though so depending on the user app this may require the user to enable it. 944f5b2779e4aa63f7624df6cd4de832a53db81b aacsbr: Fix memory corruption. http://ffmpeg.org/trac/ffmpeg/ticket/760 v_off becoming negative and writes based on this overwriting various fields of the struct which valgrind didnt detect. 7fff64e00d886fde11d61958888c82b461cf99b9 h264: check chroma_format_idc range. http://ffmpeg.org/trac/ffmpeg/ticket/758 608708009f69ba4cecebf05120c696167494c897 adpcm: Fix crash http://ffmpeg.org/trac/ffmpeg/ticket/794 Allocation for X channels, write for 2, this adds a X!=2 check 9af6abdc17deb95c9b1f1d9242ba49b8b5e0b016 atrac3: Fix crash in tonal component decoding. http://ffmpeg.org/trac/ffmpeg/ticket/780 Simple case of index becoming bigger than array without checks 6d8e6fe9dbc365f50521cf0c4a5ffee97c970cb5 CODEC_ID_SOL_DPCM: Fix used write buffer. Wrong pointer being used to write after recent audio API change. 3eedf9f716733b3b4c5205726d2c1ca52b3d3d78 j2kdec: Check curtileno for validity Simple missing check for index and array size. j2k is marked as experimental though so depending on the user app this may require the user to enable it. 21270cffaeab2f67a613907516b2b0cd6c9eacf4 h263dec: Fix regression / crash with lowres. http://ffmpeg.org/trac/ffmpeg/ticket/757 memset of the full size in a reduced size buffer, this requires the user to enable lowres ================================================ HEAP+possible STACK buffer overflow (1): (write) 282bb02839b1ce73963c8e3ee46804f1ade8b12a j2kdec: Fix crash in get_qcx Simple missing check for index and array size. j2k is marked as experimental though so depending on the user app this may require the user to enable it. ================================================ Things that didnt fit in above (2): 18bcfc912e48bf77a5202a0e24a3b884b9b2ff2c shorten: Fix invalid free() Adding a offset after realloc() but not undoing that before a possible 2nd realloc() 6fcf2bb8af0e7d6bb179e71e67e5fab8ef0d2ec2 vorbis: Fix last quarter of CVE-2011-3893 This fixes a apparently forgoten case in the original patchset from google Ive reproduced this by setting multiplier to the maximal value that it could reach ================================================ So for all the interesting vulns: HEAP buffer overflows (10): (write) HEAP+possible STACK buffer overflow (1): (write) Things that didnt fit in above (4): (just the first two) that's 15 CVE's, the rest like Steve said do not quality for CVEs. Steve, ok if I go ahead with these 13? -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.