FFmpeg security fixes July 2015
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ffmpeg (Ubuntu) |
Fix Released
|
Medium
|
Tyler Hicks |
Bug Description
FFmpeg 2.5.8 fixing a number of crashes and other potentially security relevant issues was released.
From the upstream Changelog:
version 2.5.8
- snow: remove an obsolete av_assert2
- huffyuvdec: validate image size
- vc1dec: use get_bits_long and limit the read bits to 32
- mpegaudiodec: copy AVFloatDSPContext from first context to all contexts
- libshine: fix support for shine 3.0
- avidec: check for valid bit_rate range
- avformat/nut: support WavPack
- avcodec/diracdec: Check slices malloc and propagate error code
- avcodec/vp8: Check buffer size in vp8_decode_
- avcodec/vp8: Fix null pointer dereference in ff_vp8_
- avcodec/diracdec: Check for hpel_base allocation failure
- avcodec/rv34: Clear pointers in ff_rv34_
- avfilter/
- avcodec/
- swscale/utils: Clear pix buffers
- avutil/fifo: Fix the case where func() returns less bytes than requested in av_fifo_
- avformat/mov: Fix deallocation when MOVStreamContext failed to allocate
- ffmpeg: Fix crash with ost->last_frame allocation failure
- ffmpeg: Fix cleanup with ost = NULL
- avcodec/
- avcodec/sanm: Reset sizes in destroy_buffers()
- avcodec/alac: Clear pointers in allocate_buffers()
- bytestream2: set the reader to the end when reading more than available
- avcodec/utils: use a minimum 32pixel width in avcodec_
- avcodec/mpegvideo: Clear pointers in ff_mpv_
- oggparsedirac: check return value of init_get_bits
- wmalosslessdec: reset frame->nb_samples on packet loss
- wmalosslessdec: avoid reading 0 bits with get_bits
- avcodec/rawenc: Use ff_alloc_packet() instead of ff_alloc_packet2()
- avcodec/aacsbr: Assert that bs_num_env is positive
- avcodec/aacsbr: check that the element type matches before applying SBR
- avcodec/h264_slice: Use w/h from the AVFrame instead of mb_w/h
- vp9/update_prob: prevent out of bounds table read
- avfilter/
- avcodec/pngdec: Check values before updating context in decode_fctl_chunk()
- avcodec/pngdec: Require a IHDR chunk before fctl
- avcodec/pngdec: Only allow one IHDR chunk
- wmavoice: limit wmavoice_
- swscale/
- ffmpeg: Do not use the data/size of a bitstream filter after failure
- swscale/
- swscale/
- vda: unlock the pixel buffer base address.
- swscale/
- swscale/
- swscale/
- swr: Remember previously set int_sample_format from user
- matroskadec: check audio sample rate
- matroskadec: validate audio channels and bitdepth
- avcodec/dpxenc: implement write16/32 as functions
- postproc: fix unaligned access
- ffmpeg: Free last_frame instead of just unref
- avio: fix potential crashes when combining ffio_ensure_
- h264: er: Copy from the previous reference only if compatible
- sonic: set avctx->channels in sonic_decode_init
- vp8: change mv_{min,max}.{x,y} type to int
- vp9: change type of tile_size from unsigned to int64_t
- arm: only enable setend on ARMv6
- libopenjpegdec: check existence of image component data
- mov: abort on EOF in ff_mov_read_chan
- ffmpeg_opt: Check for localtime() failure
- avformat: Fix bug in parse_rps for HEVC.
- takdec: ensure chan2 is a valid channel index
- avcodec/h264_slice: Use AVFrame diemensions for grayscale handling
- avdevice/lavfi: do not rescale AV_NOPTS_VALUE in lavfi_read_packet()
- libavutil/
- avcodec/
- avformat/ffmdec: Check ffio_set_buf_size() return value
- avcodec/adpcm: Check for overreads
- avcodec/alsdec: Check for overread
- avcodec/
- libavutil/
- swresample/
- Revert "avformat/rtpenc: check av_packet_
- avformat/mxfenc: Accept MXF D-10 with 49.999840 Mbit/sec
- swresample/dither: check memory allocation
- libopenjpegenc: add NULL check for img before accessing it
- swresample: Check the return value of resampler->init()
- h264: Make sure reinit failures mark the context as not initialized
- ffmpeg_opt: Set the video VBV parameters only for the video stream from -target
- avcodec/bitstream: Assert that there is enough space left in avpriv_copy_bits()
- avcodec/put_bits: Assert that there is enough space left in skip_put_bytes()
- avcodec/
- avcodec/put_bits: Update size_in_bits in set_put_
- avformat/wavdec: Increase dts packet threshold to fix more misdetections
- avformat/wavdec: Increase probe_packets limit
- avformat/swfdec: Do not error out on pixel format changes
- avfilter/
- avcodec/
- avcodec/mpegvideo: Factor ff_mpv_
- avformat/mov: Mark avio context of decompressed atoms as seekable
- avcodec/hevc_ps: Only discard overread VPS if a previous is available
- avcodec/
- avcodec/exr: fix crash caused by merge
Related branches
information type: | Private Security → Public Security |
Changed in ffmpeg (Ubuntu): | |
assignee: | nobody → Tyler Hicks (tyhicks) |
importance: | Undecided → Medium |
status: | New → In Progress |
Attached is a debdiff. (git repo is at [1])
Testing performed (in a vivid chroot):
* build including test suite works
* installation works
* upgrade works
* no regressions in the autopkgtests from 2.7.2-1
1: https:/ /anonscm. debian. org/cgit/ collab- maint/ffmpeg. git/log/ ?h=vivid