FFmpeg security fixes February 2016
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ffmpeg (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
FFmpeg 2.7.6 fixing a number of crashes and other potentially security relevant issues (including CVE-2016-2213) was released.
From the upstream Changelog:
version 2.7.6
- avcodec/
- avutil/opt: check for and handle errors in av_opt_set_dict2()
- avcodec/flacenc: fix calculation of bits required in case of custom sample rate
- avformat: Document urls a bit
- avformat/libquvi: Set default demuxer and protocol limitations
- avformat/concat: Check protocol prefix
- doc/demuxers: Document enable_drefs and use_absolute_path
- avcodec/mjpegdec: Check for end for both bytes in unescaping
- avcodec/
- avformat/avformat: Replace some references to filenames by urls
- avcodec/wmaenc: Check ff_wma_init() for failure
- avcodec/mpeg12enc: Move high resolution thread check to before initializing threads
- avformat/img2dec: Use AVOpenCallback
- avformat/avio: Limit url option parsing to the documented cases
- avformat/img2dec: do not interpret the filename by default if a IO context has been opened
- avcodec/ass_split: Fix null pointer dereference in ff_ass_style_get()
- mov: Add an option to toggle dref opening
- avcodec/gif: Fix lzw buffer size
- avcodec/put_bits: Assert buf_ptr in flush_put_bits()
- avcodec/tiff: Check subsample & rps values more completely
- swscale/swscale: Add some sanity checks for srcSlice* parameters
- swscale/
- swscale/
- swscale/
- avcodec/aacenc: Check both channels for finiteness
- swscale/
- dca: fix misaligned access in avpriv_
- brstm: fix missing closing brace
- brstm: also allocate b->table in read_packet
- brstm: make sure an ADPC chunk was read for adpcm_thp
- vorbisdec: reject rangebits 0 with non-0 partitions
- vorbisdec: reject channel mapping with less than two channels
- ffmdec: reset packet_end in case of failure
- avformat/ipmovie: put video decoding_map_size into packet and use it in decoder
CVE References
information type: | Private Security → Public Security |
Attached is a debdiff. (git repo is at [1])
Testing performed (in a wily chroot):
* build including test suite works
* installation works
* upgrade works
* autopkgtests pass
1: https:/ /anonscm. debian. org/cgit/ pkg-multimedia/ ffmpeg. git/log/ ?h=wily