Heap-based Buffer Overflow in libavcodec
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ffmpeg (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Lucid |
Won't Fix
|
Medium
|
Unassigned | ||
Natty |
Invalid
|
Undecided
|
Unassigned | ||
Oneiric |
Invalid
|
Undecided
|
Unassigned | ||
Precise |
Invalid
|
Undecided
|
Unassigned | ||
Quantal |
Invalid
|
Undecided
|
Unassigned | ||
libav (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Lucid |
Invalid
|
Undecided
|
Unassigned | ||
Natty |
Won't Fix
|
Medium
|
Unassigned | ||
Oneiric |
Won't Fix
|
Medium
|
Unassigned | ||
Precise |
Fix Released
|
Medium
|
Unassigned | ||
Quantal |
Fix Released
|
Medium
|
Unassigned |
Bug Description
A vulnerability in the decoder for VQA media files exists in function vqa_decode_chunk (libavcodec/
Here's the relevant excerpt from vqa_decode_chunk:
1 int lobytes = 0;
2 int hibytes = s->decode_
3 ...
4 for (y = 0; y < s->frame.
5 y += s->frame.
6
7 for (x = y; x < y + s->width; x += 4, lobytes++, hibytes++) {
8 pixel_ptr = x;
9 /* get the vector index, the method for which varies according to
10 * VQA file version */
11 switch (s->vqa_version) {
12 case 1:
13 ...
14 case 2:
15 lobyte = s->decode_
16 hibyte = s->decode_
17 vector_index = (hibyte << 8) | lobyte;
18 vector_index <<= index_shift;
19 lines = s->vector_height;
20 break;
21
22 case 3:
23 ...
24 }
25 while (lines--) {
26 s->frame.
27 s->frame.
28 s->frame.
29 s->frame.
30 pixel_ptr += s->frame.
31 }
32 }
33 }
This function fills the pixel buffer (s->frame.data[0]) in tiles of 4x4 pixels on lines 25 to 30. The problem is that a check to verify that the index still addresses a location inside the buffer is performed only by the conditions of the for-loops on line 4 and 7, however, for the inner while-loop starting on line 25, no such check exists. In consequence, up to three extra lines can be written beyond the end of the buffer.
A sample file has been attached, which causes a crash on Ubuntu 11.10 (32 bit) when played with mplayer. We hope this information is useful to you.
Fabian Yamaguchi - University of Goettingen
Markus Lottmann - Technische Universitaet Berlin
Changed in libav (Ubuntu): | |
status: | Confirmed → Triaged |
importance: | Undecided → Medium |
Changed in ffmpeg (Ubuntu): | |
importance: | Undecided → Medium |
tags: | added: patch |
Thank you for using Ubuntu and reporting a bug. I forwarded this to upstream. I can confirm the sample file crashes mplayer.