Raspbian automatic forward porter [Sun, 1 Sep 2019 13:44:55 +0000 (14:44 +0100)]
Merge version 6:11.12-1~deb8u7+rpi1 and 6:11.12-1~deb8u8 to produce 6:11.12-1~deb8u8+rpi1
Mike Gabriel [Sat, 31 Aug 2019 15:36:55 +0000 (16:36 +0100)]
Merge libav (6:11.12-1~deb8u8) import into refs/heads/workingbranch
Petter Ericson [Wed, 17 Oct 2012 14:53:19 +0000 (16:53 +0200)]
mov.c: Check for stsd + m1s tag indicating MOV-wrapped MPEG-PS, and force continued probing if found.
Fixes Ticket241
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2018-11102-2.patch
Michael Niedermayer [Wed, 17 Oct 2012 15:20:12 +0000 (17:20 +0200)]
mov_probe: fix integer overflows
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2018-11102-1.patch
Michael Niedermayer [Sun, 8 Mar 2015 00:45:53 +0000 (01:45 +0100)]
avcodec/mpegvideo_motion: Fix off by 1 error in MV bounds checking in qpel, chroma_4mv and 8x8
No testcase available
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2017-9987-2.patch
Michael Niedermayer [Sun, 8 Mar 2015 00:27:56 +0000 (01:27 +0100)]
avcodec/mpegvideo_motion: Fix off by 1 error in MV bounds checking
Fixes Ticket4299
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2017-9987-1.patch
Paul B Mahol [Mon, 18 Aug 2014 11:00:24 +0000 (11:00 +0000)]
wvdec: check for eof in wv_read_block_header()
Fixes Ticket #3865
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Gbp-Pq: Name CVE-2019-14372.patch
Carl Eugen Hoyos [Sun, 4 Sep 2016 19:11:02 +0000 (21:11 +0200)]
lavc/avpacket: Fix undefined behaviour, do not pass a null pointer to memcpy().
Fixes ticket #5128.
Gbp-Pq: Name CVE-2018-5766.patch
wm4 [Tue, 3 Feb 2015 18:04:12 +0000 (19:04 +0100)]
avformat/mpc8: fix hang with fuzzed file
This can lead to an endless loop by seeking back a few bytes after each
attempted chunk read. Assuming negative sizes are always invalid, this
is easy to fix. Other code in this demuxer treats negative sizes as
invalid as well.
Fixes ticket #4262.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2019-14442.patch
Michael Niedermayer [Sat, 28 Jul 2018 13:03:50 +0000 (15:03 +0200)]
avformat/flvenc: Check audio packet size
Fixes: Assertion failure
Fixes: assert_flvenc.c:941_1.swf
Found-by: #CHEN HONGXU# <HCHEN017@e.ntu.edu.sg>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2018-15822.patch
Michael Niedermayer [Sat, 23 Mar 2019 19:55:08 +0000 (20:55 +0100)]
avcodec/hevc: Avoid only partly skiping duplicate first slices
Fixes: NULL pointer dereference and out of array access
Fixes: 13871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5746167087890432
Fixes: 13845/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5650370728034304
This also fixes the return code for explode mode
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2019-11338.patch
Anton Khirnov [Wed, 20 Jul 2016 06:31:38 +0000 (08:31 +0200)]
h264dec: handle zero-sized NAL units in get_last_needed_nal()
The current code will ignore the init_get_bits() failure and do an
invalid read from the uninitialized GetBitContext.
Found-By: Jan Ruge <jan.s.ruge@gmail.com>
Bug-Id: 952
Gbp-Pq: Name CVE-2017-
1000460.patch
Michael Niedermayer [Fri, 25 Aug 2017 23:26:58 +0000 (01:26 +0200)]
avformat/hls: Fix DoS due to infinite loop
Fixes: loop.m3u
The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Previous version reviewed-by: Steven Liu <lingjiujianke@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
[sunweaver] Rebased against a libavformat/hls.c version that did not yet have AVOption support.
Initializing HLS_Context.max_reload statically with the value 1000.
Gbp-Pq: Name CVE-2017-14058.patch
Michael Niedermayer [Sun, 28 Jan 2018 01:46:56 +0000 (02:46 +0100)]
avfilter/vf_transpose: Fix regression with packed pixel formats
Regression since:
c6939f65a116b1ffed345d29d8621ee4ffb32235
Found-by: Paul B Mahol <onemda@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2018-6392-2.patch
Michael Niedermayer [Sun, 28 Jan 2018 01:46:56 +0000 (02:46 +0100)]
avfilter/vf_transpose: Fix regression with packed pixel formats
Regression since:
c6939f65a116b1ffed345d29d8621ee4ffb32235
Found-by: Paul B Mahol <onemda@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2018-6392-1.patch
Michael Niedermayer [Wed, 4 Feb 2015 19:48:30 +0000 (20:48 +0100)]
avcodec/mjpegdec: Check number of components for JPEG-LS
Fixes out of array accesses
Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2015-1872.patch
Michael Niedermayer [Tue, 3 Jul 2018 20:14:42 +0000 (22:14 +0200)]
avformat/pva: Check for EOF before retrying in read_part_of_packet()
Fixes: Infinite loop
Fixes: pva-4b1835dbc2027bf3c567005dcc78e85199240d06
Found-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2018-
1999012.patch
Michael Niedermayer [Tue, 24 Jan 2017 23:20:19 +0000 (00:20 +0100)]
avcodec/utils: correct align value for interplay
Fixes out of array access
Fixes: 452/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_INTERPLAY_VIDEO_fuzzer
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2017-7865.patch
Michael Niedermayer [Fri, 3 Oct 2014 02:30:58 +0000 (04:30 +0200)]
avcodec/utils: Add case for jv to avcodec_align_dimensions2()
Fixes out of array accesses
Fixes: asan_heap-oob_12304aa_8_asan_heap-oob_4da4f3_300_intro.jv
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2014-8542.patch
Michael Niedermayer [Sat, 4 Feb 2017 11:24:14 +0000 (12:24 +0100)]
avcodec/pngdec: Check trns more completely
Fixes out of array access
Fixes: 546/clusterfuzz-testcase-4809433909559296
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
[sunweaver] ported to libav in Debian jessie LTS (which only supports palette based transparency).
Gbp-Pq: Name CVE-2017-7863.patch
Michael Niedermayer [Mon, 4 Sep 2017 22:16:29 +0000 (00:16 +0200)]
avformat/asfdec: Fix DoS in asf_build_simple_index()
Fixes: Missing EOF check in loop
No testcase
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
[sunweaver] - Backport to libav as found in Debian jessie LTS.
Gbp-Pq: Name CVE-2017-14223.patch
孙浩(晓黑) [Tue, 29 Aug 2017 21:59:21 +0000 (23:59 +0200)]
avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()
Fixes: 20170829B.mxf
Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2017-14169.patch
Michael Niedermayer [Tue, 6 Jan 2015 03:29:10 +0000 (04:29 +0100)]
avformat/mov: fix integer overflow in mov_read_udta_string()
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2015-1207.patch
Markus Koschany [Wed, 31 Jan 2018 13:48:32 +0000 (14:48 +0100)]
CVE-2017-14057
Origin: https://github.com/FFmpeg/FFmpeg/commit/
7f9ec5593e04827249e7aeb466da06a98a0d7329
Gbp-Pq: Name CVE-2017-14057.patch
Markus Koschany [Sun, 30 Dec 2018 11:12:16 +0000 (12:12 +0100)]
avio_feof
This function is needed for several of the CVE-2017-140xx flaws.
Gbp-Pq: Name avio_feof.patch
Markus Koschany [Sun, 30 Dec 2018 19:51:01 +0000 (20:51 +0100)]
CVE-2017-14171
Origin: https://github.com/FFmpeg/FFmpeg/commit/
c24bcb553650b91e9eff15ef6e54ca73de2453b7
Gbp-Pq: Name CVE-2017-14171.patch
Markus Koschany [Sun, 30 Dec 2018 19:53:42 +0000 (20:53 +0100)]
CVE-2017-14170
Origin: https://github.com/FFmpeg/FFmpeg/commit/
900f39692ca0337a98a7cf047e4e2611071810c2
Gbp-Pq: Name CVE-2017-14170.patch
Markus Koschany [Sun, 30 Dec 2018 13:25:04 +0000 (14:25 +0100)]
CVE-2017-14056
Origin: https://github.com/FFmpeg/FFmpeg/commit/
96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de
Gbp-Pq: Name CVE-2017-14056.patch
Markus Koschany [Sun, 30 Dec 2018 13:27:49 +0000 (14:27 +0100)]
CVE-2017-14055
Origin: https://github.com/FFmpeg/FFmpeg/commit/
4f05e2e2dc1a89f38cd9f0960a6561083d714f1e
Gbp-Pq: Name CVE-2017-14055.patch
Markus Koschany [Sun, 30 Dec 2018 16:39:40 +0000 (17:39 +0100)]
CVE-2017-14767
Origin: https://github.com/FFmpeg/FFmpeg/commit/
c42a1388a6d1bfd8001bf6a4241d8ca27e49326d
Gbp-Pq: Name CVE-2017-14767.patch
Markus Koschany [Sun, 30 Dec 2018 16:29:28 +0000 (17:29 +0100)]
CVE-2017-15672
Origin: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=
c20f4fcb74da2d0432c7b54499bb98f48236b904
Gbp-Pq: Name CVE-2017-15672.patch
Markus Koschany [Sun, 30 Dec 2018 16:14:54 +0000 (17:14 +0100)]
CVE-2017-17130
Origin: https://github.com/libav/libav/commit/
49cf72b3ac77140cf4715c18fe7c7610d918d912
Gbp-Pq: Name CVE-2017-17130.patch
Markus Koschany [Sun, 30 Dec 2018 15:57:18 +0000 (16:57 +0100)]
CVE-2017-9993
Origin: https://github.com/FFmpeg/FFmpeg/commit/
a5d849b149ca67ced2d271dc84db0bc95a548abb
Gbp-Pq: Name CVE-2017-9993.patch
Markus Koschany [Sun, 30 Dec 2018 15:54:59 +0000 (16:54 +0100)]
CVE-2017-9994
Origin: https://github.com/FFmpeg/FFmpeg/commit/
6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef
Gbp-Pq: Name CVE-2017-9994.patch
Markus Koschany [Sun, 30 Dec 2018 15:51:20 +0000 (16:51 +0100)]
CVE-2018-14394
Origin: https://github.com/FFmpeg/FFmpeg/commit/
3a2d21bc5f97aa0161db3ae731fc2732be6108b8
Gbp-Pq: Name CVE-2018-14394.patch
Markus Koschany [Sun, 30 Dec 2018 15:39:05 +0000 (16:39 +0100)]
CVE-2018-
1999010
Origin: https://github.com/FFmpeg/FFmpeg/commit/
cced03dd667a5df6df8fd40d8de0bff477ee02e
Gbp-Pq: Name CVE-2018-
1999010.patch
Markus Koschany [Sun, 6 Jan 2019 15:05:17 +0000 (16:05 +0100)]
CVE-2018-6621
Origin: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/
118e1b0b3370dd1c0da442901b486689efd1654b
Gbp-Pq: Name CVE-2018-6621.patch
Markus Koschany [Sun, 30 Dec 2018 14:14:44 +0000 (15:14 +0100)]
CVE-2018-7557
Origin: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/
7414d0bda7763f9bd69c26c068e482ab297c1c96
Gbp-Pq: Name CVE-2018-7557.patch
Michael Niedermayer [Mon, 5 Dec 2016 10:14:51 +0000 (11:14 +0100)]
avformat/rtmppkt: Check for packet size mismatches
Fixes out of array access
Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2016-10191.patch
Ronald S. Bultje [Mon, 5 Dec 2016 13:02:33 +0000 (08:02 -0500)]
http: make length/offset-related variables unsigned.
Fixes #5992, reported and found by Paul Cher <paulcher@icloud.com>.
Gbp-Pq: Name CVE-2016-10190.patch
Debian Multimedia Maintainers [Sat, 31 Aug 2019 15:36:55 +0000 (16:36 +0100)]
CVE-2016-10190-pre3-strtoull
Gbp-Pq: Name CVE-2016-10190-pre3-strtoull.patch
Rodger Combs [Sun, 18 Oct 2015 22:50:21 +0000 (17:50 -0500)]
lavf/http: fix incorrect warning in range requests
Gbp-Pq: Name CVE-2016-10190-pre2-
362c17e6.patch
Michael Niedermayer [Sat, 28 Mar 2015 23:33:35 +0000 (00:33 +0100)]
avformat/http: Return an error in case of prematurely ending data
Fixes Ticket 4039
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2016-10190-pre1-
3668701f.patch
Michael Niedermayer [Sat, 28 Nov 2015 18:08:46 +0000 (19:08 +0100)]
avcodec/utils: Clear dimensions in ff_get_buffer() on failure
avcodec/utils: Clear dimensions in ff_get_buffer() on failure
Fixes out of array access
Fixes: 482d8f2fd17c9f532b586458a33f267c/asan_heap-oob_4a52b6_7417_1d08d477736d66cdadd833d146bb8bae.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
[sunweaver] - manually adapted for Debian jessie's libav version which lacks the get_internal_buffer() symbol.
Gbp-Pq: Name CVE-2015-8663.patch
Michael Niedermayer [Fri, 27 Nov 2015 18:52:39 +0000 (19:52 +0100)]
avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*()
avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*()
Fixes out of array access
Fixes: 01859c9a9ac6cd60a008274123275574/asan_heap-oob_1dff571_8250_50d3d1611e294c3519fd1fa82198b69b.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-8662.patch
Michael Niedermayer [Tue, 24 Nov 2015 20:12:37 +0000 (21:12 +0100)]
avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized
avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized
Fixes out of array access
Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2049_f2192b6829ab6e0eefcb035329c03c60.264
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-8661.patch
Michael Niedermayer [Sat, 14 Nov 2015 00:36:22 +0000 (01:36 +0100)]
avcodec/ivi: Check image dimensions
avcodec/ivi: Check image dimensions
Fixes integer overflow
Fixes: 1e32c6c591d940337c20b197ec1c4d3d/asan_heap-oob_4a52e5_8946_0bb0d9e863def56005e49f1d89bdc94d.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-8364.patch
Debian Multimedia Maintainers [Sat, 31 Aug 2019 15:36:55 +0000 (16:36 +0100)]
avcodec/jpeg2000dec: Check for duplicate SIZ marker
avcodec/jpeg2000dec: Check for duplicate SIZ marker
Fixes: 0231a17345734228011c6f35a64e4594/asan_heap-oob_1d92a72_3218_1213809a9e3affec77e4c191fdfdc0a9.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-8363.patch
Michael Niedermayer [Thu, 5 Nov 2015 12:52:33 +0000 (13:52 +0100)]
avcodec/hevc_ps: Check chroma_format_idc
avcodec/hevc_ps: Check chroma_format_idc
Fixes out of array access
Fixes: 24d05e8b84676799c735c9e27d97895e/asan_heap-oob_1b70f6a_2955_7c3652a7f370f9f3ef40642bc2c99bb2.bit
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
[sunweaver] Ported to libav 11.12 in Debian jessie LTS.
Gbp-Pq: Name CVE-2015-8217.patch
Michael Niedermayer [Wed, 4 Nov 2015 16:08:52 +0000 (17:08 +0100)]
avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it
avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it
Fixes: 04715144ba237443010554be0d05343f/asan_heap-oob_1eafc76_1737_c685b48041a563461839e4e7ab97abb8.jpg
Fixes out of array access
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
[sunweaver] Re-based for libav 11.12 in Debian jessie LTS.
Gbp-Pq: Name CVE-2015-8216.patch
Michael Niedermayer [Sat, 18 Jul 2015 07:24:45 +0000 (09:24 +0200)]
avcodec/rv34: Clear pointers in ff_rv34_decode_init_thread_copy()
avcodec/rv34: Clear pointers in ff_rv34_decode_init_thread_copy()
Avoids leaving stale pointers
Fixes: signal_sigabrt_7ffff70eccc9_819_sabtriple.rm with memlimit 536870912
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-6826.patch
Michael Niedermayer [Thu, 16 Jul 2015 07:52:33 +0000 (09:52 +0200)]
avcodec/pthread_frame: clear priv_data, avoid stale pointer in error case
avcodec/pthread_frame: clear priv_data, avoid stale pointer in error case
Fixes: b4b47bc2b3fb7ca710bfffe5aa969e37_signal_sigabrt_7ffff70eccc9_744_nc_sample2.avi with memlimit of 4194304
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-6825.patch
Michael Niedermayer [Wed, 15 Jul 2015 15:20:19 +0000 (17:20 +0200)]
swscale/utils: Clear pix buffers
swscale/utils: Clear pix buffers
Fixes use of uninitialized memory
Fixes: a96874b9466b6edc660a519c7ad47977_signal_sigsegv_7ffff713351a_744_nc_sample.avi with memlimit 2147483648
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-6824.patch
Michael Niedermayer [Mon, 13 Jul 2015 11:46:10 +0000 (13:46 +0200)]
avcodec/alac: Clear pointers in allocate_buffers()
avcodec/alac: Clear pointers in allocate_buffers()
Fixes: 06a4edb39ad8a9883175f9bd428334a2_signal_sigsegv_7ffff713351a_706_mov__alac__ALAC_6ch.mov
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-6823.patch
Michael Niedermayer [Mon, 13 Jul 2015 12:05:21 +0000 (14:05 +0200)]
avcodec/sanm: Reset sizes in destroy_buffers()
avcodec/sanm: Reset sizes in destroy_buffers()
Fixes crash in 1288a2fe8e9ae6b00ca40e089d08ca65_signal_sigsegv_7ffff71426a7_354_accident.san with allocation limit 65536
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-6822.patch
Michael Niedermayer [Thu, 9 Jul 2015 18:16:15 +0000 (20:16 +0200)]
avcodec/mpegvideo: Clear pointers in ff_mpv_common_init()
avcodec/mpegvideo: Clear pointers in ff_mpv_common_init()
This ensures that no stale pointers leak through on any path
Fixes: signal_sigsegv_c3097a_991_xtrem_e2_m64q15_a32sxx.3gp
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2015-6821.patch
Michael Niedermayer [Tue, 30 Jun 2015 22:05:43 +0000 (00:05 +0200)]
avcodec/aacsbr: check that the element type matches before applying SBR
avcodec/aacsbr: check that the element type matches before applying SBR
Fixes out of array access
Fixes: signal_sigsegv_3670fc0_2818_cov_2307326154_moon.mux
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2015-6820.patch
Michael Niedermayer [Mon, 29 Jun 2015 17:08:05 +0000 (19:08 +0200)]
avcodec/pngdec: Only allow one IHDR chunk
avcodec/pngdec: Only allow one IHDR chunk
Multiple IHDR chunks are forbidden in PNG
Fixes inconsistency and out of array accesses
Fixes: asan_heap-oob_4d5c5a_1738_cov_2638287726_c-m2-8f2b481b7fd9bd745e620b7c01a18df2.png
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2015-6818.patch
Michael Niedermayer [Wed, 26 Nov 2014 13:45:47 +0000 (14:45 +0100)]
avcodec/pngdec: Check IHDR/IDAT order
avcodec/pngdec: Check IHDR/IDAT order
Fixes out of array access
Fixes: asan_heap-oob_20a6c26_2690_cov_3434532168_mail.png
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
[sunweaver] - Port this commit to libav in Debian jessie.
Gbp-Pq: Name CVE-2014-9317.patch
Michael Niedermayer [Wed, 30 Sep 2015 09:10:48 +0000 (11:10 +0200)]
avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup
avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup
The variable is not a constant and can lead to race conditions
Fixes: repro.webm (not reproducable with FFmpeg alone)
Found-by: Dale Curtis <dalecurtis@google.com>
Tested-by: Dale Curtis <dalecurtis@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-6761.patch
Debian Multimedia Maintainers [Sat, 31 Aug 2019 15:36:55 +0000 (16:36 +0100)]
disable-configuration-warnings
Gbp-Pq: Name 03-disable-configuration-warnings.patch
Debian Multimedia Maintainers [Sat, 31 Aug 2019 15:36:55 +0000 (16:36 +0100)]
configure-disable-ebx-gcc-4.9
Gbp-Pq: Name 02-configure-disable-ebx-gcc-4.9.patch
Mike Gabriel [Sat, 31 Aug 2019 15:36:55 +0000 (16:36 +0100)]
libav (6:11.12-1~deb8u8) jessie-security; urgency=medium
* CVE-2019-14442: avformat/mpc8: fix hang with fuzzed file.
* CVE-2018-5766: lavc/avpacket: Fix undefined behaviour, do not pass a null
pointer to memcpy().
* CVE-2019-14372: wvdec: check for eof in wv_read_block_header().
* CVE-2017-9987: avcodec/mpegvideo_motion: Fix off by 1 error in MV bounds
checking.
* CVE-2018-11102:
- mov_probe: fix integer overflows.
- mov.c: Check for stsd + m1s tag indicating MOV-wrapped MPEG-PS, and force
continued probing if found.
[dgit import unpatched libav 6:11.12-1~deb8u8]
Mike Gabriel [Sat, 31 Aug 2019 15:36:55 +0000 (16:36 +0100)]
Import libav_11.12-1~deb8u8.debian.tar.xz
[dgit import tarball libav 6:11.12-1~deb8u8 libav_11.12-1~deb8u8.debian.tar.xz]
Raspbian automatic forward porter [Fri, 31 May 2019 03:23:38 +0000 (04:23 +0100)]
Merge version 6:11.12-1~deb8u6+rpi1 and 6:11.12-1~deb8u7 to produce 6:11.12-1~deb8u7+rpi1
Mike Gabriel [Tue, 28 May 2019 12:14:01 +0000 (13:14 +0100)]
Merge libav (6:11.12-1~deb8u7) import into refs/heads/workingbranch
Michael Niedermayer [Sat, 28 Jul 2018 13:03:50 +0000 (15:03 +0200)]
avformat/flvenc: Check audio packet size
Fixes: Assertion failure
Fixes: assert_flvenc.c:941_1.swf
Found-by: #CHEN HONGXU# <HCHEN017@e.ntu.edu.sg>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2018-15822.patch
Michael Niedermayer [Sat, 23 Mar 2019 19:55:08 +0000 (20:55 +0100)]
avcodec/hevc: Avoid only partly skiping duplicate first slices
Fixes: NULL pointer dereference and out of array access
Fixes: 13871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5746167087890432
Fixes: 13845/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5650370728034304
This also fixes the return code for explode mode
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2019-11338.patch
Anton Khirnov [Wed, 20 Jul 2016 06:31:38 +0000 (08:31 +0200)]
h264dec: handle zero-sized NAL units in get_last_needed_nal()
The current code will ignore the init_get_bits() failure and do an
invalid read from the uninitialized GetBitContext.
Found-By: Jan Ruge <jan.s.ruge@gmail.com>
Bug-Id: 952
Gbp-Pq: Name CVE-2017-
1000460.patch
Michael Niedermayer [Fri, 25 Aug 2017 23:26:58 +0000 (01:26 +0200)]
avformat/hls: Fix DoS due to infinite loop
Fixes: loop.m3u
The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Previous version reviewed-by: Steven Liu <lingjiujianke@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
[sunweaver] Rebased against a libavformat/hls.c version that did not yet have AVOption support.
Initializing HLS_Context.max_reload statically with the value 1000.
Gbp-Pq: Name CVE-2017-14058.patch
Michael Niedermayer [Sun, 28 Jan 2018 01:46:56 +0000 (02:46 +0100)]
avfilter/vf_transpose: Fix regression with packed pixel formats
Regression since:
c6939f65a116b1ffed345d29d8621ee4ffb32235
Found-by: Paul B Mahol <onemda@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2018-6392-2.patch
Michael Niedermayer [Sun, 28 Jan 2018 01:46:56 +0000 (02:46 +0100)]
avfilter/vf_transpose: Fix regression with packed pixel formats
Regression since:
c6939f65a116b1ffed345d29d8621ee4ffb32235
Found-by: Paul B Mahol <onemda@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2018-6392-1.patch
Michael Niedermayer [Wed, 4 Feb 2015 19:48:30 +0000 (20:48 +0100)]
avcodec/mjpegdec: Check number of components for JPEG-LS
Fixes out of array accesses
Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2015-1872.patch
Michael Niedermayer [Tue, 3 Jul 2018 20:14:42 +0000 (22:14 +0200)]
avformat/pva: Check for EOF before retrying in read_part_of_packet()
Fixes: Infinite loop
Fixes: pva-4b1835dbc2027bf3c567005dcc78e85199240d06
Found-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2018-
1999012.patch
Michael Niedermayer [Tue, 24 Jan 2017 23:20:19 +0000 (00:20 +0100)]
avcodec/utils: correct align value for interplay
Fixes out of array access
Fixes: 452/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_INTERPLAY_VIDEO_fuzzer
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2017-7865.patch
Michael Niedermayer [Fri, 3 Oct 2014 02:30:58 +0000 (04:30 +0200)]
avcodec/utils: Add case for jv to avcodec_align_dimensions2()
Fixes out of array accesses
Fixes: asan_heap-oob_12304aa_8_asan_heap-oob_4da4f3_300_intro.jv
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2014-8542.patch
Michael Niedermayer [Sat, 4 Feb 2017 11:24:14 +0000 (12:24 +0100)]
avcodec/pngdec: Check trns more completely
Fixes out of array access
Fixes: 546/clusterfuzz-testcase-4809433909559296
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
[sunweaver] ported to libav in Debian jessie LTS (which only supports palette based transparency).
Gbp-Pq: Name CVE-2017-7863.patch
Michael Niedermayer [Mon, 4 Sep 2017 22:16:29 +0000 (00:16 +0200)]
avformat/asfdec: Fix DoS in asf_build_simple_index()
Fixes: Missing EOF check in loop
No testcase
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
[sunweaver] - Backport to libav as found in Debian jessie LTS.
Gbp-Pq: Name CVE-2017-14223.patch
孙浩(晓黑) [Tue, 29 Aug 2017 21:59:21 +0000 (23:59 +0200)]
avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()
Fixes: 20170829B.mxf
Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2017-14169.patch
Michael Niedermayer [Tue, 6 Jan 2015 03:29:10 +0000 (04:29 +0100)]
avformat/mov: fix integer overflow in mov_read_udta_string()
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2015-1207.patch
Markus Koschany [Wed, 31 Jan 2018 13:48:32 +0000 (14:48 +0100)]
CVE-2017-14057
Origin: https://github.com/FFmpeg/FFmpeg/commit/
7f9ec5593e04827249e7aeb466da06a98a0d7329
Gbp-Pq: Name CVE-2017-14057.patch
Markus Koschany [Sun, 30 Dec 2018 11:12:16 +0000 (12:12 +0100)]
avio_feof
This function is needed for several of the CVE-2017-140xx flaws.
Gbp-Pq: Name avio_feof.patch
Markus Koschany [Sun, 30 Dec 2018 19:51:01 +0000 (20:51 +0100)]
CVE-2017-14171
Origin: https://github.com/FFmpeg/FFmpeg/commit/
c24bcb553650b91e9eff15ef6e54ca73de2453b7
Gbp-Pq: Name CVE-2017-14171.patch
Markus Koschany [Sun, 30 Dec 2018 19:53:42 +0000 (20:53 +0100)]
CVE-2017-14170
Origin: https://github.com/FFmpeg/FFmpeg/commit/
900f39692ca0337a98a7cf047e4e2611071810c2
Gbp-Pq: Name CVE-2017-14170.patch
Markus Koschany [Sun, 30 Dec 2018 13:25:04 +0000 (14:25 +0100)]
CVE-2017-14056
Origin: https://github.com/FFmpeg/FFmpeg/commit/
96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de
Gbp-Pq: Name CVE-2017-14056.patch
Markus Koschany [Sun, 30 Dec 2018 13:27:49 +0000 (14:27 +0100)]
CVE-2017-14055
Origin: https://github.com/FFmpeg/FFmpeg/commit/
4f05e2e2dc1a89f38cd9f0960a6561083d714f1e
Gbp-Pq: Name CVE-2017-14055.patch
Markus Koschany [Sun, 30 Dec 2018 16:39:40 +0000 (17:39 +0100)]
CVE-2017-14767
Origin: https://github.com/FFmpeg/FFmpeg/commit/
c42a1388a6d1bfd8001bf6a4241d8ca27e49326d
Gbp-Pq: Name CVE-2017-14767.patch
Markus Koschany [Sun, 30 Dec 2018 16:29:28 +0000 (17:29 +0100)]
CVE-2017-15672
Origin: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=
c20f4fcb74da2d0432c7b54499bb98f48236b904
Gbp-Pq: Name CVE-2017-15672.patch
Markus Koschany [Sun, 30 Dec 2018 16:14:54 +0000 (17:14 +0100)]
CVE-2017-17130
Origin: https://github.com/libav/libav/commit/
49cf72b3ac77140cf4715c18fe7c7610d918d912
Gbp-Pq: Name CVE-2017-17130.patch
Markus Koschany [Sun, 30 Dec 2018 15:57:18 +0000 (16:57 +0100)]
CVE-2017-9993
Origin: https://github.com/FFmpeg/FFmpeg/commit/
a5d849b149ca67ced2d271dc84db0bc95a548abb
Gbp-Pq: Name CVE-2017-9993.patch
Markus Koschany [Sun, 30 Dec 2018 15:54:59 +0000 (16:54 +0100)]
CVE-2017-9994
Origin: https://github.com/FFmpeg/FFmpeg/commit/
6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef
Gbp-Pq: Name CVE-2017-9994.patch
Markus Koschany [Sun, 30 Dec 2018 15:51:20 +0000 (16:51 +0100)]
CVE-2018-14394
Origin: https://github.com/FFmpeg/FFmpeg/commit/
3a2d21bc5f97aa0161db3ae731fc2732be6108b8
Gbp-Pq: Name CVE-2018-14394.patch
Markus Koschany [Sun, 30 Dec 2018 15:39:05 +0000 (16:39 +0100)]
CVE-2018-
1999010
Origin: https://github.com/FFmpeg/FFmpeg/commit/
cced03dd667a5df6df8fd40d8de0bff477ee02e
Gbp-Pq: Name CVE-2018-
1999010.patch
Markus Koschany [Sun, 6 Jan 2019 15:05:17 +0000 (16:05 +0100)]
CVE-2018-6621
Origin: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/
118e1b0b3370dd1c0da442901b486689efd1654b
Gbp-Pq: Name CVE-2018-6621.patch
Markus Koschany [Sun, 30 Dec 2018 14:14:44 +0000 (15:14 +0100)]
CVE-2018-7557
Origin: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/
7414d0bda7763f9bd69c26c068e482ab297c1c96
Gbp-Pq: Name CVE-2018-7557.patch
Michael Niedermayer [Mon, 5 Dec 2016 10:14:51 +0000 (11:14 +0100)]
avformat/rtmppkt: Check for packet size mismatches
Fixes out of array access
Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2016-10191.patch
Ronald S. Bultje [Mon, 5 Dec 2016 13:02:33 +0000 (08:02 -0500)]
http: make length/offset-related variables unsigned.
Fixes #5992, reported and found by Paul Cher <paulcher@icloud.com>.
Gbp-Pq: Name CVE-2016-10190.patch
Debian Multimedia Maintainers [Tue, 28 May 2019 12:14:01 +0000 (13:14 +0100)]
CVE-2016-10190-pre3-strtoull
Gbp-Pq: Name CVE-2016-10190-pre3-strtoull.patch
Rodger Combs [Sun, 18 Oct 2015 22:50:21 +0000 (17:50 -0500)]
lavf/http: fix incorrect warning in range requests
Gbp-Pq: Name CVE-2016-10190-pre2-
362c17e6.patch
Michael Niedermayer [Sat, 28 Mar 2015 23:33:35 +0000 (00:33 +0100)]
avformat/http: Return an error in case of prematurely ending data
Fixes Ticket 4039
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2016-10190-pre1-
3668701f.patch
projects / libav.git / log