From 801eff785aa1c791d75afaa59233e9b5e9e0f4c7 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 23 Mar 2012 22:30:38 +0100 Subject: [PATCH 1/6] rv34: error out on size changes with frame threading (cherry picked from commit cb7190cd2c691fd93e4d3664f3fce6c19ee001dd) Fixes: CVE-2012-2772 (according to Ubuntu) --- libavcodec/rv34.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index a20a9892b8..95ad5dd06e 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1280,6 +1280,14 @@ static int rv34_decode_slice(RV34DecContext *r, int end, const uint8_t* buf, int if ((s->mb_x == 0 && s->mb_y == 0) || s->current_picture_ptr==NULL) { if(s->width != r->si.width || s->height != r->si.height){ + + if (HAVE_THREADS && + (s->avctx->active_thread_type & FF_THREAD_FRAME)) { + av_log_missing_feature(s->avctx, "Width/height changing with " + "frame threading is", 0); + return AVERROR_PATCHWELCOME; + } + av_log(s->avctx, AV_LOG_DEBUG, "Changing dimensions to %dx%d\n", r->si.width,r->si.height); MPV_common_end(s); s->width = r->si.width; From 03ddc260668beaf62f6f7fe64a08b5a71be5bb27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Mar 2012 17:43:55 +0100 Subject: [PATCH 2/6] indeo5dec: Make sure we have had a valid gop header. This prevents decoding happening on a half initialized context. Fixes CVE-2012-2779 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit 891918431db628db17885ed947ee387b29826a64) Conflicts: libavcodec/ivi_common.c libavcodec/ivi_common.h --- libavcodec/indeo5.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index e12cd61419..bb491fe15a 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -76,6 +76,8 @@ typedef struct { int is_scalable; uint32_t lock_word; IVIPicConfig pic_conf; + + int gop_invalid; } IVI5DecContext; @@ -335,8 +337,12 @@ static int decode_pic_hdr(IVI5DecContext *ctx, AVCodecContext *avctx) ctx->frame_num = get_bits(&ctx->gb, 8); if (ctx->frame_type == FRAMETYPE_INTRA) { - if (decode_gop_header(ctx, avctx)) - return -1; + ctx->gop_invalid = 1; + if (decode_gop_header(ctx, avctx)) { + av_log(avctx, AV_LOG_ERROR, "Invalid GOP header, skipping frames.\n"); + return AVERROR_INVALIDDATA; + } + ctx->gop_invalid = 0; } if (ctx->frame_type != FRAMETYPE_NULL) { @@ -759,6 +765,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, "Error while decoding picture header: %d\n", result); return -1; } + if (ctx->gop_invalid) + return AVERROR_INVALIDDATA; if (ctx->gop_flags & IVI5_IS_PROTECTED) { av_log(avctx, AV_LOG_ERROR, "Password-protected clip!\n"); From 604d72aa0d050a95aefdc15fc57743415af8283b Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 29 Sep 2012 13:25:28 +0200 Subject: [PATCH 3/6] dfa: improve boundary checks in decode_dds1() Fixes CVE-2012-2798 CC:libav-stable@libav.org (cherry picked from commit d05f72c75445969cd7bdb1d860635c9880c67fb6) Conflicts: libavcodec/dfa.c --- libavcodec/dfa.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index eeb96cf7b1..9c80b3c4e8 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -159,8 +159,7 @@ static int decode_dds1(uint8_t *frame, int width, int height, bitbuf = bytestream_get_le16(&src); mask = 1; } - if (src_end - src < 2 || frame_end - frame < 2) - return -1; + if (bitbuf & mask) { v = bytestream_get_le16(&src); offset = (v & 0x1FFF) << 2; @@ -174,9 +173,12 @@ static int decode_dds1(uint8_t *frame, int width, int height, frame += 2; } } else if (bitbuf & (mask << 1)) { - frame += bytestream_get_le16(&src) * 2; + v = bytestream_get_le16(&src)*2; + if (frame - frame_end < v) + return AVERROR_INVALIDDATA; + frame += v; } else { - if (frame_end - frame < width + 2) + if (frame_end - frame < width + 3) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = *src++; From 440e98574bde9ca606dfea60c7dda8de555067f7 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 29 Sep 2012 11:07:58 +0200 Subject: [PATCH 4/6] indeo4/5: check empty tile size in decode_mb_info(). This prevents writing into a too small array if some parameters changed without the tile being reallocated. Based on a patch by Michael Niedermayer Fixes CVE-2012-2800 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit ae3da0ae5550053583a6f281ea7fd940497ea0d1) Conflicts: libavcodec/ivi_common.c --- libavcodec/indeo5.c | 4 +++- libavcodec/ivi_common.c | 11 ++++++++++- libavcodec/ivi_common.h | 2 +- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index bb491fe15a..45460a40fd 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -619,8 +619,10 @@ static int decode_band(IVI5DecContext *ctx, int plane_num, tile->is_empty = get_bits1(&ctx->gb); if (tile->is_empty) { - ff_ivi_process_empty_tile(avctx, band, tile, + result = ff_ivi_process_empty_tile(avctx, band, tile, (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3)); + if (result < 0) + break; } else { tile->data_size = ff_ivi_dec_tile_data_size(&ctx->gb); diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index f55371cf73..38cb3a8b33 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -495,7 +495,7 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) return 0; } -void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, +int ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, IVITile *tile, int32_t mv_scale) { int x, y, need_mc, mbn, blk, num_blocks, mv_x, mv_y, mc_type; @@ -506,6 +506,13 @@ void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, void (*mc_no_delta_func)(int16_t *buf, const int16_t *ref_buf, uint32_t pitch, int mc_type); + if (tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)) { + av_log(avctx, AV_LOG_ERROR, "Allocated tile size %d mismatches " + "parameters %d in ivi_process_empty_tile()\n", + tile->num_MBs, IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)); + return AVERROR_INVALIDDATA; + } + offs = tile->ypos * band->pitch + tile->xpos; mb = tile->mbs; ref_mb = tile->ref_mbs; @@ -586,6 +593,8 @@ void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, dst += band->pitch; } } + + return 0; } diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h index cd9847d08a..3a328c469a 100644 --- a/libavcodec/ivi_common.h +++ b/libavcodec/ivi_common.h @@ -325,7 +325,7 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile); * @param[in] tile pointer to the tile descriptor * @param[in] mv_scale scaling factor for motion vectors */ -void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, +int ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, IVITile *tile, int32_t mv_scale); /** From 301761792a693a1f3303a2af34a0fb066a03c10c Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 13 Dec 2012 17:53:31 +0100 Subject: [PATCH 5/6] mpeg12: do not decode extradata more than once. Fixes CVE-2012-2803. (cherry picked from commit 582368626188c070d4300913c6da5efa4c24cfb2) Conflicts: libavcodec/mpeg12.c libavcodec/mpeg12.h --- libavcodec/mpeg12.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpeg12.c b/libavcodec/mpeg12.c index 03c95c191d..047c38f18a 100644 --- a/libavcodec/mpeg12.c +++ b/libavcodec/mpeg12.c @@ -1147,6 +1147,7 @@ typedef struct Mpeg1Context { int save_width, save_height, save_progressive_seq; AVRational frame_rate_ext; ///< MPEG-2 specific framerate modificator int sync; ///< Did we reach a sync point like a GOP/SEQ/KEYFrame? + int extradata_decoded; } Mpeg1Context; static av_cold int mpeg_decode_init(AVCodecContext *avctx) @@ -2279,8 +2280,10 @@ static int mpeg_decode_frame(AVCodecContext *avctx, s->slice_count= 0; - if(avctx->extradata && !avctx->frame_number) + if (avctx->extradata && !s->extradata_decoded) { decode_chunks(avctx, picture, data_size, avctx->extradata, avctx->extradata_size); + s->extradata_decoded = 1; + } return decode_chunks(avctx, picture, data_size, buf, buf_size); } From db5b454c3d20f0e2e7fff8f0091e776ae9757725 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 24 Jan 2013 14:01:42 +0100 Subject: [PATCH 6/6] Update changelog for 0.7.7 release --- Changelog | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/Changelog b/Changelog index f434aa13b5..a7410d9dc3 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,38 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.7.7: + +Security Updates: + +- aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN (CVE-2012-5144) +- alsdec: check opt_order (CVE-2012-2775) +- alsdec: fix number of decoded samples in first sub-block in BGMC mode (CVE-2012-2790) +- avidec: use actually read size instead of requested size (CVE-2012-2788) +- avsdec: Set dimensions instead of relying on the demuxer (CVE-2012-2801) +- cavsdec: check for changing w/h (CVE-2012-2777 and CVE-2012-2784) +- dfa: check that the caller set width/height properly (CVE-2012-2786) +- dfa: improve boundary checks in decode_dds1() (CVE-2012-2798) +- indeo4/5: check empty tile size in decode_mb_info() (CVE-2012-2800) +- indeo5: Make sure we have had a valid gop header (CVE-2012-2779) +- indeo5: check tile size in decode_mb_info() (CVE-2012-2794) +- ivi_common: check that scan pattern is set before using it (CVE-2012-2791) +- lagarith: check count before writing zeros (CVE-2012-2793) +- mpeg12: do not decode extradata more than once (CVE-2012-2803) +- rv34: error out on size changes with frame threading (CVE-2012-2772) +- vp56: release frames on error (CVE-2012-2783) +- wmaprodec: check num_vec_coeffs for validity (CVE-2012-2789) + + +Further bugfixes in the following codecs: + h264, vc1, nuv, imgconvert, vorbisenc, flacenc + +Other noteworthy changes: +- fix segfault in avformat_open_input() +- rtsp: Recheck the reordering queue if getting a new packet +- fix uninitialized reads and memory leaks on malformed ogg files + + version 0.7.6: Security Updates: