Ubuntu

Heap-based Buffer Overflow in libavcodec

Reported by Fabian Yamaguchi on 2012-04-13
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ffmpeg (Ubuntu)
Undecided
Unassigned
Lucid
Medium
Unassigned
Natty
Undecided
Unassigned
Oneiric
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
libav (Ubuntu)
Medium
Unassigned
Lucid
Undecided
Unassigned
Natty
Medium
Unassigned
Oneiric
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned

Bug Description

A vulnerability in the decoder for VQA media files exists in function vqa_decode_chunk (libavcodec/vqavideo.c) of libavcodec (part of FFmpeg). This vulnerability allows memory on the heap to be corrupted and possibly leads o arbitrary code execution.

Here's the relevant excerpt from vqa_decode_chunk:

1 int lobytes = 0;
2 int hibytes = s->decode_buffer_size / 2;
3 ...
4 for (y = 0; y < s->frame.linesize[0] * s->height;
5 y += s->frame.linesize[0] * s->vector_height) {
6
7 for (x = y; x < y + s->width; x += 4, lobytes++, hibytes++) {
8 pixel_ptr = x;
9 /* get the vector index, the method for which varies according to
10 * VQA file version */
11 switch (s->vqa_version) {
12 case 1:
13 ...
14 case 2:
15 lobyte = s->decode_buffer[lobytes];
16 hibyte = s->decode_buffer[hibytes];
17 vector_index = (hibyte << 8) | lobyte;
18 vector_index <<= index_shift;
19 lines = s->vector_height;
20 break;
21
22 case 3:
23 ...
24 }
25 while (lines--) {
26 s->frame.data[0][pixel_ptr + 0] = s->codebook[vector_index++];
27 s->frame.data[0][pixel_ptr + 1] = s->codebook[vector_index++];
28 s->frame.data[0][pixel_ptr + 2] = s->codebook[vector_index++];
29 s->frame.data[0][pixel_ptr + 3] = s->codebook[vector_index++];
30 pixel_ptr += s->frame.linesize[0];
31 }
32 }
33 }

This function fills the pixel buffer (s->frame.data[0]) in tiles of 4x4 pixels on lines 25 to 30. The problem is that a check to verify that the index still addresses a location inside the buffer is performed only by the conditions of the for-loops on line 4 and 7, however, for the inner while-loop starting on line 25, no such check exists. In consequence, up to three extra lines can be written beyond the end of the buffer.

A sample file has been attached, which causes a crash on Ubuntu 11.10 (32 bit) when played with mplayer. We hope this information is useful to you.

Fabian Yamaguchi - University of Goettingen
Markus Lottmann - Technische Universitaet Berlin

Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and reporting a bug. I forwarded this to upstream. I can confirm the sample file crashes mplayer.

Changed in libav (Ubuntu):
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2012-0947

Jamie Strandboge (jdstrand) wrote :

This also seems to affect ffmpeg from older releases. Upstream libav sent a suggested patch today, and I forwarded it and this information to upstream ffmpeg to linux-distros@.

Changed in ffmpeg (Ubuntu):
status: New → Confirmed
Changed in libav (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → Medium
Changed in ffmpeg (Ubuntu):
importance: Undecided → Medium
Jamie Strandboge (jdstrand) wrote :

Per upstream ffmpeg, this was fixed some time ago in 3583c8706df0abbfa3ecdd6730f4f3d72a01fe6d.

Per upstream libav, this issue is now public.

Changed in ffmpeg (Ubuntu):
status: Confirmed → Triaged
visibility: private → public
Jamie Strandboge (jdstrand) wrote :

Patch from upstream.

Jamie Strandboge (jdstrand) wrote :
Changed in ffmpeg (Ubuntu Natty):
status: New → Invalid
Changed in ffmpeg (Ubuntu Oneiric):
status: New → Invalid
Changed in ffmpeg (Ubuntu Precise):
status: New → Invalid
Changed in ffmpeg (Ubuntu Quantal):
status: Triaged → Invalid
Changed in libav (Ubuntu Lucid):
status: New → Invalid
Changed in libav (Ubuntu Natty):
status: New → Triaged
importance: Undecided → Medium
Changed in libav (Ubuntu Oneiric):
status: New → Triaged
importance: Undecided → Medium
Changed in libav (Ubuntu Precise):
status: New → Triaged
importance: Undecided → Medium
Changed in ffmpeg (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → Medium
Changed in ffmpeg (Ubuntu Quantal):
importance: Medium → Undecided
tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libav - 4:0.8.3-0ubuntu1

---------------
libav (4:0.8.3-0ubuntu1) quantal; urgency=low

  * New Upstream releases:
      + version 0.8.3:
        - Several bugs and crashes have been fixed in the following codecs: PNG,
          Electronic Arts TQI, H.264 (CVE-2012-0851) and H.263 (CVE-2011-3937)
      + version 0.8.2:
        - Several bugs and crashes have been fixed in the following codecs: AAC,
          APE, H.263, H.264, Indeo 4, Mimic, MJPEG, Motion Pixels Video, RAW,
          TTA, VC1, VQA, WMA Voice, vqavideo (CVE-2012-0947). LP: #980963
        - Several bugs and crashes have been fixed in the following formats:
          ASF, ID3v2, MOV, xWMA
        - This release additionally updates the following codecs to the
          bytestream2 API, and therefore benefit from additional overflow
          checks: truemotion2, utvideo, vqavideo
  * libav-tools: add pre-depends on dpkg
  * ffmpeg: update Conflict/Replaces relationships

  [ Matthieu Baerts (matttbe) <email address hidden> ]
  * debian/ffmpeg.install and debian/libav-tools.install:
    - Moved all ffmpeg binaries and manpages to ffmpeg package (LP: #1011136)
 -- Reinhard Tartler <email address hidden> Sun, 10 Jun 2012 20:24:59 +0200

Changed in libav (Ubuntu Quantal):
status: Triaged → Fix Released
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against natty is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in libav (Ubuntu Natty):
status: Triaged → Won't Fix
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against oneiric is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in libav (Ubuntu Oneiric):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers