Ubuntu
libav package

Heap-based Buffer Overflow in libavcodec

Bug #980963 reported by Fabian Yamaguchi on 2012-04-13

262

This bug affects 1 person

	Status	Importance	Assigned to
ffmpeg (Ubuntu)	Invalid	Undecided	Unassigned
Lucid	Won't Fix	Medium	Unassigned
Natty	Invalid	Undecided	Unassigned
Oneiric	Invalid	Undecided	Unassigned
Precise	Invalid	Undecided	Unassigned
Quantal	Invalid	Undecided	Unassigned
libav (Ubuntu)	Fix Released	Medium	Unassigned
Lucid	Invalid	Undecided	Unassigned
Natty	Won't Fix	Medium	Unassigned
Oneiric	Won't Fix	Medium	Unassigned
Precise	Fix Released	Medium	Unassigned
Quantal	Fix Released	Medium	Unassigned

Bug Description

A vulnerability in the decoder for VQA media files exists in function vqa_decode_chunk (libavcodec/vqavideo.c) of libavcodec (part of FFmpeg). This vulnerability allows memory on the heap to be corrupted and possibly leads o arbitrary code execution.

Here's the relevant excerpt from vqa_decode_chunk:

1 int lobytes = 0;
2 int hibytes = s->decode_buffer_size / 2;
3 ...
4 for (y = 0; y < s->frame.linesize[0] * s->height;
5 y += s->frame.linesize[0] * s->vector_height) {
6
7 for (x = y; x < y + s->width; x += 4, lobytes++, hibytes++) {
8 pixel_ptr = x;
9 /* get the vector index, the method for which varies according to
10 * VQA file version */
11 switch (s->vqa_version) {
12 case 1:
13 ...
14 case 2:
15 lobyte = s->decode_buffer[lobytes];
16 hibyte = s->decode_buffer[hibytes];
17 vector_index = (hibyte << 8) | lobyte;
18 vector_index <<= index_shift;
19 lines = s->vector_height;
20 break;
21
22 case 3:
23 ...
24 }
25 while (lines--) {
26 s->frame.data[0][pixel_ptr + 0] = s->codebook[vector_index++];
27 s->frame.data[0][pixel_ptr + 1] = s->codebook[vector_index++];
28 s->frame.data[0][pixel_ptr + 2] = s->codebook[vector_index++];
29 s->frame.data[0][pixel_ptr + 3] = s->codebook[vector_index++];
30 pixel_ptr += s->frame.linesize[0];
31 }
32 }
33 }

This function fills the pixel buffer (s->frame.data[0]) in tiles of 4x4 pixels on lines 25 to 30. The problem is that a check to verify that the index still addresses a location inside the buffer is performed only by the conditions of the for-loops on line 4 and 7, however, for the inner while-loop starting on line 25, no such check exists. In consequence, up to three extra lines can be written beyond the end of the buffer.

A sample file has been attached, which causes a crash on Ubuntu 11.10 (32 bit) when played with mplayer. We hope this information is useful to you.

Fabian Yamaguchi - University of Goettingen
Markus Lottmann - Technische Universitaet Berlin

Tags:

Related branches

lp:ubuntu/quantal/libav

lp:~medibuntu-maintainers/libav/medibuntu.quantal

CVE References

Revision history for this message

Fabian Yamaguchi (fabian-yamaguchi) wrote on 2012-04-13:

Sample file triggering the bug when run with mplayer Edit (1.0 MiB, application/octet-stream)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-04-20:

Thank you for using Ubuntu and reporting a bug. I forwarded this to upstream. I can confirm the sample file crashes mplayer.

Changed in libav (Ubuntu):
status:	New → Confirmed

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2012-04-25:

This is CVE-2012-0947

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-04-25:

This also seems to affect ffmpeg from older releases. Upstream libav sent a suggested patch today, and I forwarded it and this information to upstream ffmpeg to linux-distros@.

Changed in ffmpeg (Ubuntu):
status:	New → Confirmed

Jamie Strandboge (jdstrand) on 2012-04-25

Changed in libav (Ubuntu):
status:	Confirmed → Triaged
importance:	Undecided → Medium
Changed in ffmpeg (Ubuntu):
importance:	Undecided → Medium

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-05-03:

Per upstream ffmpeg, this was fixed some time ago in 3583c8706df0abbfa3ecdd6730f4f3d72a01fe6d.

Per upstream libav, this issue is now public.

Changed in ffmpeg (Ubuntu):
status:	Confirmed → Triaged
visibility:	private → public

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-05-03:

0001-vqavideo-return-error-if-image-size-is-not-a-multipl.patch Edit (1.2 KiB, text/plain)

Patch from upstream.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-05-03:

Reported to oss-security in http://www.openwall.com/lists/oss-security/2012/05/03/4.

Changed in ffmpeg (Ubuntu Natty):
status:	New → Invalid
Changed in ffmpeg (Ubuntu Oneiric):
status:	New → Invalid
Changed in ffmpeg (Ubuntu Precise):
status:	New → Invalid
Changed in ffmpeg (Ubuntu Quantal):
status:	Triaged → Invalid
Changed in libav (Ubuntu Lucid):
status:	New → Invalid
Changed in libav (Ubuntu Natty):
status:	New → Triaged
importance:	Undecided → Medium
Changed in libav (Ubuntu Oneiric):
status:	New → Triaged
importance:	Undecided → Medium
Changed in libav (Ubuntu Precise):
status:	New → Triaged
importance:	Undecided → Medium
Changed in ffmpeg (Ubuntu Lucid):
status:	New → Triaged
importance:	Undecided → Medium
Changed in ffmpeg (Ubuntu Quantal):
importance:	Medium → Undecided

Ubuntu Foundations Team Bug Bot (crichton) on 2012-05-04

tags:

added: patch

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-06-10:

This bug was fixed in the package libav - 4:0.8.3-0ubuntu1

---------------
libav (4:0.8.3-0ubuntu1) quantal; urgency=low

  * New Upstream releases:
      + version 0.8.3:
        - Several bugs and crashes have been fixed in the following codecs: PNG,
          Electronic Arts TQI, H.264 (CVE-2012-0851) and H.263 (CVE-2011-3937)
      + version 0.8.2:
        - Several bugs and crashes have been fixed in the following codecs: AAC,
          APE, H.263, H.264, Indeo 4, Mimic, MJPEG, Motion Pixels Video, RAW,
          TTA, VC1, VQA, WMA Voice, vqavideo (CVE-2012-0947). LP: #980963
        - Several bugs and crashes have been fixed in the following formats:
          ASF, ID3v2, MOV, xWMA
        - This release additionally updates the following codecs to the
          bytestream2 API, and therefore benefit from additional overflow
          checks: truemotion2, utvideo, vqavideo
  * libav-tools: add pre-depends on dpkg
  * ffmpeg: update Conflict/Replaces relationships

  [ Matthieu Baerts (matttbe) <email address hidden> ]
  * debian/ffmpeg.install and debian/libav-tools.install:
    - Moved all ffmpeg binaries and manpages to ffmpeg package (LP: #1011136)
-- Reinhard Tartler <email address hidden> Sun, 10 Jun 2012 20:24:59 +0200

Changed in libav (Ubuntu Quantal):
status:	Triaged → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-11-02:

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against natty is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in libav (Ubuntu Natty):
status:	Triaged → Won't Fix

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2013-05-21:

#10

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against oneiric is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.