FFmpeg security fixes December 2016 (yakkety)
| Affects | Status | Importance | Assigned to | Milestone | ||
|---|---|---|---|---|---|---|
| ffmpeg (Ubuntu) | ||||||
| Yakkety |
Fix Released
|
Medium
|
Unassigned | |||
Bug Description
FFmpeg 3.0.5 fixing a number of crashes and other potentially security relevant issues was released.
This includes fixes for CVE-2016-5199 (3.0.4) and CVE-2016-
From the upstream Changelog:
version 3.0.5:
- configure: check for strtoull on msvc
- http: move chunk handling from http_read_stream() to http_buf_read().
- http: make length/
- ffserver: Check chunk size
- Avoid using the term "file" and prefer "url" in some docs and comments
- avformat/rtmppkt: Check for packet size mismatches
- zmqsend: Initialize ret to 0
- avcodec/rawdec: check for side data before checking its size
- avcodec/flacdec: Fix undefined shift in decode_subframe()
- avcodec/get_bits: Fix get_sbits_long(0)
- avformat/ffmdec: Check media type for chunks
- avcodec/flacdec: Fix signed integer overflow in decode_
- avcodec/
- avformat/
- avformat/utils: Check start/end before computing duration in update_
- avcodec/
- avformat/idroqdec: Check chunk_size for being too large
- avformat/mpeg: Adjust vid probe threshold to correct mis-detection
- avcodec/rv40: Test remaining space in loop of get_dimension()
- avcodec/ituh263dec: Avoid spending a long time in slice sync
- avcodec/movtextdec: Add error message for tsmb_size check
- avcodec/movtextdec: Fix tsmb_size check==0 check
- avcodec/movtextdec: Fix potential integer overflow
- avcodec/sunrast: Fix input buffer pointer check
- avcodec/tscc: Check side data size before use
- avcodec/rawdec: Check side data size before use
- avcodec/msvideo1: Check side data size before use
- avcodec/qpeg: Check side data size before use
- avcodec/qtrle: Check side data size before use
- avcodec/msrle: Check side data size before use
- avcodec/kmvc: Check side data size before use
- avcodec/idcinvideo: Check side data size before use
- avcodec/cinepak: Check side data size before use
- avcodec/8bps: Check side data size before use
- avcodec/dvdsubdec: Fix off by 1 error
- avcodec/dvdsubdec: Fix buf_size check
- vp9: change order of operations in adapt_prob().
- avcodec/
- avformat/mxfdec: Check size to avoid integer overflow in mxf_read_
- avcodec/
- avcodec/utils: Clear MMX state before returning from avcodec_
- avformat/icodec: Fix crash probing fuzzed file
- dcstr: fix division by zero
- rsd: limit number of channels
- mss2: only use error correction for matching block counts
- softfloat: decrease MIN_EXP to cover full float range
- libopusdec: default to stereo for invalid number of channels
- pgssubdec: only set w/h/linesize when allocating data
- sbgdec: prevent NULL pointer access
- smacker: limit recursion depth of smacker_
- mxfdec: fix NULL pointer dereference in mxf_read_packet_old
- libschroedingerdec: fix leaking of framewithpts
- libschroedingerdec: don't produce empty frames
- softfloat: handle -INT_MAX correctly
- filmstripdec: correctly check image dimensions
- pnmdec: make sure v is capped by maxval
- smvjpegdec: make sure cur_frame is not negative
- icodec: correctly check avio_read return value
- dvbsubdec: fix division by zero in compute_
- proresdec_lgpl: explicitly check coff[3] against slice_data_size
- escape124: reject codebook size 0
- icodec: add ico_read_close to fix leaking ico->images
- icodec: fix leaking pkt on error
- mpegts: prevent division by zero
- matroskadec: fix NULL pointer dereference in webm_dash_
- mpegaudio_parser: don't return AVERROR_
- mxfdec: fix NULL pointer dereference
- lzf: update pointer p after realloc
- diracdec: check return code of get_buffer_
- ppc: pixblockdsp: do unaligned block accesses correctly again
- interplayacm: increase bitstream buffer size by AV_INPUT_
- interplayacm: validate number of channels
- interplayacm: check for too large b
- mpeg12dec: unref discarded picture from extradata
- cavsdec: unref frame before referencing again
- avformat: prevent triggering request_probe assert in ff_read_packet
- avcodec/avpacket: fix leak on realloc in av_packet_
version 3.0.4:
- libopenjpegenc: fix out-of-bounds reads when filling the edges
- libopenjpegenc: stop reusing image data buffer for openjpeg 2
- configure: fix detection of libopenjpeg
- cmdutils: fix typos
- lavfi: fix typos
- lavc: fix typos
- tools: fix grammar error
- ffmpeg: remove unused and errorneous AVFrame timestamp check
- Support for MIPS cpu P6600
- avutil/
- avformat/avidec: Check nb_streams in read_gab2_sub()
- avformat/avidec: Remove ancient assert
- avformat/avidec: Fix memleak with dv in avi
- lavc/movtextdec.c: Avoid infinite loop on invalid data.
- avcodec/ansi: Check dimensions
- avcodec/cavsdsp: use av_clip_uint8() for idct
- avformat/movenc: Check packet in mov_write_
- avformat/movenc: Factor check_pkt() out
- avformat/utils: fix timebase error in avformat_
- avcodec/g726: Add missing ADDB output mask
- avcodec/avpacket: clear side_data_elems
- avformat/movenc: Check first DTS similar to dts difference
- avcodec/
- avformat/mov: Fix potential integer overflow in mov_read_keys
- swscale/
- swscale/
- lavf/utils: Avoid an overflow for huge negative durations.
version 3.0.3:
- avformat/avidec: Fix infinite loop in avi_read_nikon()
- avcodec/aacenc: Tighter input checks
- avformat/wtvdec: Check pointer before use
- libavcodec/
- avcodec/diracdec: Check numx/y
- avcodec/cfhd: Increase minimum band dimension to 3
- avcodec/indeo2: check ctab
- avformat/swfdec: Fix inflate() error code check
- avcodec/rawdec: Fix bits_per_
- lavc/mjpegdec: Do not skip reading quantization tables.
- cmdutils: fix implicit declaration of SetDllDirectory function
- cmdutils: check for SetDllDirectory() availability
- avcodec/h264: Put context_count check back
- cmdutils: remove the current working directory from the DLL search path on win32
- avcodec/raw: Fix decoding of ilacetest.mov
- avcodec/ffv1enc: Fix assertion failure with non zero bits per sample
- avformat/oggdec: Fix integer overflow with invalid pts
- ffplay: Fix invalid array index
- avcodec/vp9_parser: Check the input frame sizes for being consistent
- libavformat/
- libavutil/opt: Small bugfix in example.
- libx264: Increase x264 opts character limit to 4096
- avformat/mov: Check sample size
- avformat/format: Fix registering a format more than once and related races
- avformat/flacdec: Fix seeking close to EOF
- avcodec/
- avformat/flvdec: Accept last size if its off by 1
- tests/api/
- avcodec: Add avpriv_
- avfilter/
- avformat/mpegts: adjust probe score for low check_count
- avcodec/mpc8: Correct end truncation
- avformat/mp3dec: Increase probe score slightly when the whole data from begin to end is mp3
- avcodec/cfhd: Set dimensions unconditionally
- avcodec/mpegvideo: Do not clear the parse context during init
- avcodec/h264: Fix off by 1 context count
- avcodec/alsdec: Check r to prevent out of array read
- avcodec/alsdec: fix max bits in ltp prefix code
- avcodec/utils: check skip_samples signedness
- avformat/mpegts: Do not trust BSSD descriptor, it is sometimes not an S302M stream
- avcodec/bmp_parser: Check fsize
- avcodec/bmp_parser: reset state
- avcodec/bmp_parser: Fix remaining size
- avcodec/bmp_parser: Fix frame_start_found in cross frame cases
- avfilter/af_amix: do not fail if there are no samples in output_frame()
- avformat/
- librtmp: Avoid an infiniloop setting connection arguments
- avformat/
- Revert "configure: Enable GCC vectorization on ≥4.9 on x86"
- avcodec/
- ffplay: Fix usage of private lavfi API
- tests/checkasm/
- avcodec/mpegvideo: Deallocate last/next picture earlier
- avcodec/bmp_parser: Fix state
- avformat/
- avformat/utils: avoid overflow in compute_
- avformat/utils: avoid overflow in update_
- doc/developer.texi: Add a code of conduct
- ffserver: fixed deallocation bug in build_feed_streams
- avcodec/diracdec: Fix potential integer overflow
- avformat/avidec: Detect index with too short entries
- avformat/utils: Check negative bps before shifting in ff_get_
- avformat/utils: Do not compute the bitrate from duration == 0
- ffmpeg: Check that r_frame_rate is set before attempting to use it
- swresample/
- swresample/
- swresample/
- hevc: Fix memory leak related to a53_caption data
- libavformat/oggdec: Free stream private when header parsing fails.
- avformat/utils: Check bps before using it in a shift in ff_get_
- avformat/
- avcodec/mjpegdec: Do not try to detect last scan but apply idct after all scans for progressive jpeg
- avformat/
- avformat/ffmdec: Check pix_fmt
- doc/general: update supported DCA extensions
- avcodec/rscc: check input buffer size for deflate mode
- avcodec/dca: fix sync word search error condition
- lavf/mpegts: Return small probe score for very short transport streams.
| information type: | Private Security → Public Security |
| Andreas Cadhalpun (andreas-cadhalpun) wrote | #1 |
| Changed in ffmpeg (Ubuntu Yakkety): | |
| status: | New → Triaged |
| Changed in ffmpeg (Ubuntu): | |
| status: | New → Invalid |
| summary: |
- FFmpeg security fixes December 2016 II + FFmpeg security fixes December 2016 (yakkety) |
| tags: | added: upgrade-software-version |
| Changed in ffmpeg (Ubuntu Yakkety): | |
| importance: | Undecided → Medium |
| no longer affects: | ffmpeg (Ubuntu) |
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in ffmpeg (Ubuntu Yakkety): | |
| status: | Triaged → Fix Released |
| Seth Arnold (seth-arnold) wrote | #3 |
Attached is a debdiff. (git repo is at [1])
Testing performed (in a yakkety chroot):
* build including test suite works
* installation works
* upgrade works
* autopkgtests pass
1: https:/