Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 4 Dec 2016 22:10:41 -0500
From: <cve-assign@...re.org>
To: <ago@...too.org>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: libav: multiple crashes from the Undefined Behavior Sanitizer

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://blogs.gentoo.org/ago/2016/12/01/libav-multiple-crashes-from-the-undefined-behavior-sanitizer

> libav-11.8/libavcodec/mpegvideo.c:2381:65: runtime 
> error: left shift of negative value -1
> 
> libav-11.8/libavcodec/mpegvideo.c:2382:65: runtime 
> error: left shift of negative value -1
> 
> libav-11.8/libavcodec/mpegvideo.c:2383:65: runtime 
> error: left shift of negative value -1
> 
> Testcase:
> https://github.com/asarubbo/poc/blob/master/00036-libav-leftshift-mpegvideo

Use CVE-2016-9819.


> libav-11.8/libavcodec/mpegvideo_motion.c:323:47: runtime 
> error: left shift of negative value -1
> 
> libav-11.8/libavcodec/mpegvideo_motion.c:331:55: runtime 
> error: left shift of negative value -1
> 
> libav-11.8/libavcodec/mpegvideo_motion.c:336:55: runtime 
> error: left shift of negative value -1
> 
> Testcase:
> https://github.com/asarubbo/poc/blob/master/00036-libav-leftshift-mpegvideo

Use CVE-2016-9820.


> libav-11.8/libavcodec/mpegvideo_parser.c:91:65: runtime 
> error: signed integer overflow: 28573696 * 400 cannot be represented in type 
> 'int'
> Testcase:
> https://github.com/asarubbo/poc/blob/master/00037-libav-signedintoverflow-mpegvideo_parser

Use CVE-2016-9821.


> libav-11.8/libavcodec/mpeg12dec.c:1401:41: runtime 
> error: signed integer overflow: 28573696 * 400 cannot be represented in type 
> 'int'
> Testcase:
> https://github.com/asarubbo/poc/blob/master/00037-libav-signedintoverflow-mpegvideo_parser

Use CVE-2016-9822.


> libav-11.8/libavcodec/x86/mpegvideo.c:53:18: runtime 
> error: index -1 out of bounds for type 'uint8_t [64]'
> Testcase:
> https://github.com/asarubbo/poc/blob/master/00038-libav-uint8_t64-outofbounds-mpegvideo

Use CVE-2016-9823.


> libav-11.8/libswscale/x86/swscale.c:189:64: runtime 
> error: signed integer overflow: 65463 * 65537 cannot be represented in type 
> 'int'
> Testcase:
> https://github.com/asarubbo/poc/blob/master/00039-libav-signedintoverflow-swscale_c

Use CVE-2016-9824.


> libav-11.8/libswscale/utils.c:340:30: 
> runtime error: left shift of negative value -1
> Testcase:
> https://github.com/asarubbo/poc/blob/master/00040-libav-leftshift-utils_c

Use CVE-2016-9825.


> libav-11.8/libavcodec/ituh263dec.c:645:34: runtime 
> error: left shift of negative value -16
> Testcase:
> https://github.com/asarubbo/poc/blob/master/00041-libav-leftshift-ituh263dec_c

Use CVE-2016-9826.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYRNjAAAoJEHb/MwWLVhi2XgkP/ipJxBDzXKZk/Iw4b2AtNEWG
PN40jZo5SEEYBJWdQiFmHglJVxg4WTDanpSz6XZagWhCMf8HQnL5S1nptxv+0I9u
qX83NQ/+Ol8m0l9yX5GyLdQYJUn9va1iQeW/UPiqNjBK3JoEwU8w3ltb16PJBfFC
SocSA0SpPraNjUH53ffKGTslxYede5XESu1STFhuVfgjtGq7u9koj3faXdjQBkYl
0zxUpCnTP2kUKQLyyeQmzhYMR6alWMScgTVZIxz9nzW6Zx8BuInty7lwd0MOINn4
KHeS+DWUF9ZpL90e6mj38BRwxCcwm97xlULpOzU9JG1nrvltx7wJNYRAQ2hFkf6j
w2EEnq6zKQg2kVQLpOAh3Ri9GsugpPikCGbhAS7a7gL5en7SysRtEyVd8d4IvwTN
V/wg1qRnfYq8m0KBAhP5kGY9qEsXtlPRUckFJIrcWpFApi9+7nPSYC9v8XqroTXV
sHwwqs4zmvCy69fI34eC6oBg6OGNPlcVP90js+bVZF+LIGl5DQuswy4A1hgFXBaN
ZGw/Es8Cum2bg6CB+Rmwor2cbhmetEm2FURwyhXJmriwux0wbCMLEKExdsAtW03h
n/+UUPuBnUdv1vctKQcusL6GJY3fzeCMPj6xuGhSeJsIuDqTdvpBE+I9UzDIT/1v
VT5T+x2OdJWy13bvi+9J
=Nmrb
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.