Heap-based Buffer Overflow in libavcodec
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| ffmpeg (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
| Lucid |
Won't Fix
|
Medium
|
Unassigned | ||
| Natty |
Invalid
|
Undecided
|
Unassigned | ||
| Oneiric |
Invalid
|
Undecided
|
Unassigned | ||
| Precise |
Invalid
|
Undecided
|
Unassigned | ||
| Quantal |
Invalid
|
Undecided
|
Unassigned | ||
| libav (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
| Lucid |
Invalid
|
Undecided
|
Unassigned | ||
| Natty |
Won't Fix
|
Medium
|
Unassigned | ||
| Oneiric |
Won't Fix
|
Medium
|
Unassigned | ||
| Precise |
Fix Released
|
Medium
|
Unassigned | ||
| Quantal |
Fix Released
|
Medium
|
Unassigned | ||
Bug Description
A vulnerability in the decoder for VQA media files exists in function vqa_decode_chunk (libavcodec/
Here's the relevant excerpt from vqa_decode_chunk:
1 int lobytes = 0;
2 int hibytes = s->decode_
3 ...
4 for (y = 0; y < s->frame.
5 y += s->frame.
6
7 for (x = y; x < y + s->width; x += 4, lobytes++, hibytes++) {
8 pixel_ptr = x;
9 /* get the vector index, the method for which varies according to
10 * VQA file version */
11 switch (s->vqa_version) {
12 case 1:
13 ...
14 case 2:
15 lobyte = s->decode_
16 hibyte = s->decode_
17 vector_index = (hibyte << 8) | lobyte;
18 vector_index <<= index_shift;
19 lines = s->vector_height;
20 break;
21
22 case 3:
23 ...
24 }
25 while (lines--) {
26 s->frame.
27 s->frame.
28 s->frame.
29 s->frame.
30 pixel_ptr += s->frame.
31 }
32 }
33 }
This function fills the pixel buffer (s->frame.data[0]) in tiles of 4x4 pixels on lines 25 to 30. The problem is that a check to verify that the index still addresses a location inside the buffer is performed only by the conditions of the for-loops on line 4 and 7, however, for the inner while-loop starting on line 25, no such check exists. In consequence, up to three extra lines can be written beyond the end of the buffer.
A sample file has been attached, which causes a crash on Ubuntu 11.10 (32 bit) when played with mplayer. We hope this information is useful to you.
Fabian Yamaguchi - University of Goettingen
Markus Lottmann - Technische Universitaet Berlin
| Changed in libav (Ubuntu): | |
| status: | Confirmed → Triaged |
| importance: | Undecided → Medium |
| Changed in ffmpeg (Ubuntu): | |
| importance: | Undecided → Medium |
| tags: | added: patch |

Thank you for using Ubuntu and reporting a bug. I forwarded this to upstream. I can confirm the sample file crashes mplayer.