FFmpeg security fixes December 2015 II
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ffmpeg (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
FFmpeg 2.7.4 fixing a number of crashes and other potentially security relevant issues (including CVE-2015-6761) was released.
From the upstream Changelog:
version 2.7.4
- nuv: sanitize negative fps rate
- rawdec: only exempt BIT0 with need_copy from buffer sanity check
- mlvdec: check that index_entries exist
- nutdec: reject negative value_len in read_sm_data
- xwddec: prevent overflow of lsize * avctx->height
- nutdec: only copy the header if it exists
- exr: fix out of bounds read in get_code
- on2avc: limit number of bits to 30 in get_egolomb
- avcodec/
- avcodec/h264_refs: Fix long_idx check
- avcodec/
- avcodec/h264_slice: Simplify ref2frm indexing
- Revert "avcodec/
- avfilter/
- sonic: make sure num_taps * channels is not larger than frame_size
- opus_silk: fix typo causing overflow in silk_stabilize_lsf
- ffm: reject invalid codec_id and codec_type
- golomb: always check for invalid UE golomb codes in get_ue_golomb
- aaccoder: prevent crash of anmr coder
- ffmdec: reject zero-sized chunks
- swscale/
- swscale/
- avformat/mxfenc: Do not crash if there is no packet in the first stream
- avcodec/
- avformat/utils: estimate_
- avformat/
- avutil/mathematics: Fix division by 0
- mjpegdec: consider chroma subsampling in size check
- avcodec/hevc: Check max ctb addresses for WPP
- avcodec/vp3: ensure header is parsed successfully before tables
- avcodec/
- avcodec/pgssubdec: Fix left shift of 255 by 24 places cannot be represented in type int
- swscale/utils: Fix for runtime error: left shift of negative value -1
- avcodec/hevc: Fix integer overflow of entry_point_offset
- avcodec/
- avcodec/
- avcodec/
- avcodec/wmaprodec: Check bits per sample to be within the range not causing integer overflows
- avcodec/wmaprodec: Fix overflow of cutoff
- avformat/smacker: fix integer overflow with pts_inc
- avcodec/vp3: Fix "runtime error: left shift of negative value"
- mpegencts: Fix overflow in cbr mode period calculations
- avutil/timecode: Fix fps check
- avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() for overflows
- avcodec/apedec: Check length in long_filter_
- avcodec/vp3: always set pix_fmt in theora_
- avcodec/
- avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd
- avutil/integer: Fix av_mod_i() with negative dividend
- avformat/dump: Fix integer overflow in av_dump_format()
- avcodec/h264_refs: Check that long references match before use
- avcodec/utils: Clear dimensions in ff_get_buffer() on failure
- avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string()
- avcodec/vp3: Clear context on reinitialization failure
- avcodec/hevc: allocate entries unconditionally
- avcodec/hevc_cabac: Fix multiple integer overflows
- avcodec/
- avcodec/
- avcodec/hevc: Check entry_point_offsets
- avcodec/cabac: Check initial cabac decoder state
- avcodec/
- avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized
- avcodec/vp8: Do not use num_coeff_
- avcodec/ffv1dec: Clear quant_table_count if its invalid
- avcodec/ffv1dec: Print an error if the quant table count is invalid
- doc/filters/
- hqx: correct type and size check of info_offset
- mxfdec: check edit_rate also for physical_track
- mpegvideo: clear overread in clear_context
- dvdsubdec: validate offset2 similar to offset1
- aacdec: don't return frames without data from aac_decode_er_frame
- avcodec/takdec: Use memove, avoid undefined memcpy() use
- riffdec: prevent negative bit rate
information type: | Private Security → Public Security |
Changed in ffmpeg (Ubuntu): | |
importance: | Undecided → Medium |
Attached is a debdiff. (git repo is at [1])
Testing performed (in a wily chroot):
* build including test suite works
* installation works
* upgrade works
* autopkgtests pass
1: https:/ /anonscm. debian. org/cgit/ collab- maint/ffmpeg. git/log/ ?h=wily