diff -u ffmpeg-0.cvs20050918/debian/control ffmpeg-0.cvs20050918/debian/control --- ffmpeg-0.cvs20050918/debian/control +++ ffmpeg-0.cvs20050918/debian/control @@ -1,7 +1,8 @@ Source: ffmpeg Section: libs Priority: optional -Maintainer: Sam Hocevar (Debian packages) +Maintainer: Ubuntu MOTU Developers +XSBC-Original-Maintainer: Sam Hocevar (Debian packages) Build-Depends: debhelper (>= 4.0), libogg-dev, libvorbis-dev, liba52-dev, libdts-dev, zlib1g-dev, libsdl1.2-dev, libfreetype6-dev, libimlib2-dev, texi2html, libraw1394-dev, libdc1394-13-dev, libtheora-dev (>> 0.0.0.alpha4), libgsm1-dev Standards-Version: 3.6.2.1 diff -u ffmpeg-0.cvs20050918/debian/changelog ffmpeg-0.cvs20050918/debian/changelog --- ffmpeg-0.cvs20050918/debian/changelog +++ ffmpeg-0.cvs20050918/debian/changelog @@ -1,3 +1,22 @@ +ffmpeg (3:0.cvs20050918-5ubuntu1.2) dapper-security; urgency=high + + * SECURITY UPDATE: (LP: #248674) + + libavformat/psxstr.c: + - Stack-based buffer overflow in the str_read_packet function in + libavformat/psxstr.c in FFmpeg before r13993 allows remote attackers + to cause a denial of service (application crash) or execute arbitrary + code via a crafted STR file that interleaves audio and video sectors. + + + References: + - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3162 + - https://roundup.mplayerhq.hu/roundup/ffmpeg/issue311 + - http://svn.mplayerhq.hu/ffmpeg?view=rev&revision=13993 + + * debian/control: + - updated maintainer field. + + -- Emanuele Gentili Thu, 17 Jul 2008 23:57:05 +0200 + ffmpeg (3:0.cvs20050918-5ubuntu1.1) dapper-security; urgency=low * SECURITY UPDATE: Fix arbitrary code execution in multiple buffer only in patch2: unchanged: --- ffmpeg-0.cvs20050918.orig/libavformat/psxstr.c +++ ffmpeg-0.cvs20050918/libavformat/psxstr.c @@ -274,12 +274,23 @@ int current_sector = LE_16(§or[0x1C]); int sector_count = LE_16(§or[0x1E]); int frame_size = LE_32(§or[0x24]); - int bytes_to_copy; + + if(!( frame_size>=0 + && current_sector < sector_count + && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){ + av_log(s, AV_LOG_ERROR, "Invalid parameters %d %d %d\n", current_sector, sector_count, frame_size); + return AVERROR_INVALIDDATA; + } + // printf("%d %d %d\n",current_sector,sector_count,frame_size); /* if this is the first sector of the frame, allocate a pkt */ pkt = &str->tmp_pkt; - if (current_sector == 0) { - if (av_new_packet(pkt, frame_size)) + + if(pkt->size != sector_count*VIDEO_DATA_CHUNK_SIZE){ + if(pkt->data) + av_log(s, AV_LOG_ERROR, "missmatching sector_count\n"); + av_free_packet(pkt); + if (av_new_packet(pkt, sector_count*VIDEO_DATA_CHUNK_SIZE)) return AVERROR_IO; pkt->pos= url_ftell(pb) - RAW_CD_SECTOR_SIZE; @@ -293,15 +304,15 @@ str->pts += (90000 / 15); } - /* load all the constituent chunks in the video packet */ - bytes_to_copy = frame_size - current_sector*VIDEO_DATA_CHUNK_SIZE; - if (bytes_to_copy>0) { - if (bytes_to_copy>VIDEO_DATA_CHUNK_SIZE) bytes_to_copy=VIDEO_DATA_CHUNK_SIZE; - memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE, - sector + VIDEO_DATA_HEADER_SIZE, bytes_to_copy); - } + memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE, + sector + VIDEO_DATA_HEADER_SIZE, + VIDEO_DATA_CHUNK_SIZE); + if (current_sector == sector_count-1) { + pkt->size= frame_size; *ret_pkt = *pkt; + pkt->data= NULL; + pkt->size= -1; return 0; }