CVE-2017-9993

Origin: https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb

Gbp-Pq: Name CVE-2017-9993.patch

CVE-2017-9994

Origin: https://github.com/FFmpeg/FFmpeg/commit/6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef

Gbp-Pq: Name CVE-2017-9994.patch

CVE-2018-14394

Origin: https://github.com/FFmpeg/FFmpeg/commit/3a2d21bc5f97aa0161db3ae731fc2732be6108b8

Gbp-Pq: Name CVE-2018-14394.patch

CVE-2018-1999010

Origin: https://github.com/FFmpeg/FFmpeg/commit/cced03dd667a5df6df8fd40d8de0bff477ee02e

Gbp-Pq: Name CVE-2018-1999010.patch

CVE-2018-6621

Origin: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/118e1b0b3370dd1c0da442901b486689efd1654b

Gbp-Pq: Name CVE-2018-6621.patch

CVE-2018-7557

Origin: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/7414d0bda7763f9bd69c26c068e482ab297c1c96

Gbp-Pq: Name CVE-2018-7557.patch

avformat/rtmppkt: Check for packet size mismatches

Fixes out of array access

Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2016-10191.patch

http: make length/offset-related variables unsigned.

Fixes #5992, reported and found by Paul Cher <paulcher@icloud.com>.

Gbp-Pq: Name CVE-2016-10190.patch

CVE-2016-10190-pre3-strtoull

Gbp-Pq: Name CVE-2016-10190-pre3-strtoull.patch

lavf/http: fix incorrect warning in range requests

Gbp-Pq: Name CVE-2016-10190-pre2-362c17e6.patch

avformat/http: Return an error in case of prematurely ending data

Fixes Ticket 4039

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2016-10190-pre1-3668701f.patch

avcodec/utils: Clear dimensions in ff_get_buffer() on failure

avcodec/utils: Clear dimensions in ff_get_buffer() on failure

Fixes out of array access
Fixes: 482d8f2fd17c9f532b586458a33f267c/asan_heap-oob_4a52b6_7417_1d08d477736d66cdadd833d146bb8bae.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
[sunweaver] - manually adapted for Debian jessie's libav version which lacks the get_internal_buffer() symbol.

Gbp-Pq: Name CVE-2015-8663.patch

avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*()

avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*()

Fixes out of array access
Fixes: 01859c9a9ac6cd60a008274123275574/asan_heap-oob_1dff571_8250_50d3d1611e294c3519fd1fa82198b69b.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-8662.patch

avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized

avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized

Fixes out of array access
Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2049_f2192b6829ab6e0eefcb035329c03c60.264
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-8661.patch

avcodec/ivi: Check image dimensions

avcodec/ivi: Check image dimensions

Fixes integer overflow
Fixes: 1e32c6c591d940337c20b197ec1c4d3d/asan_heap-oob_4a52e5_8946_0bb0d9e863def56005e49f1d89bdc94d.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-8364.patch

avcodec/jpeg2000dec: Check for duplicate SIZ marker

avcodec/jpeg2000dec: Check for duplicate SIZ marker

Fixes: 0231a17345734228011c6f35a64e4594/asan_heap-oob_1d92a72_3218_1213809a9e3affec77e4c191fdfdc0a9.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-8363.patch

avcodec/hevc_ps: Check chroma_format_idc

avcodec/hevc_ps: Check chroma_format_idc

Fixes out of array access
Fixes: 24d05e8b84676799c735c9e27d97895e/asan_heap-oob_1b70f6a_2955_7c3652a7f370f9f3ef40642bc2c99bb2.bit
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
[sunweaver] Ported to libav 11.12 in Debian jessie LTS.

Gbp-Pq: Name CVE-2015-8217.patch

avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it

avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it

Fixes: 04715144ba237443010554be0d05343f/asan_heap-oob_1eafc76_1737_c685b48041a563461839e4e7ab97abb8.jpg
Fixes out of array access

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
[sunweaver] Re-based for libav 11.12 in Debian jessie LTS.

Gbp-Pq: Name CVE-2015-8216.patch

avcodec/rv34: Clear pointers in ff_rv34_decode_init_thread_copy()

avcodec/rv34: Clear pointers in ff_rv34_decode_init_thread_copy()

Avoids leaving stale pointers
Fixes: signal_sigabrt_7ffff70eccc9_819_sabtriple.rm with memlimit 536870912
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-6826.patch

avcodec/pthread_frame: clear priv_data, avoid stale pointer in error case

avcodec/pthread_frame: clear priv_data, avoid stale pointer in error case

Fixes: b4b47bc2b3fb7ca710bfffe5aa969e37_signal_sigabrt_7ffff70eccc9_744_nc_sample2.avi with memlimit of 4194304
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-6825.patch

swscale/utils: Clear pix buffers

swscale/utils: Clear pix buffers

Fixes use of uninitialized memory
Fixes: a96874b9466b6edc660a519c7ad47977_signal_sigsegv_7ffff713351a_744_nc_sample.avi with memlimit 2147483648
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-6824.patch

avcodec/alac: Clear pointers in allocate_buffers()

avcodec/alac: Clear pointers in allocate_buffers()

Fixes: 06a4edb39ad8a9883175f9bd428334a2_signal_sigsegv_7ffff713351a_706_mov__alac__ALAC_6ch.mov
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-6823.patch

avcodec/sanm: Reset sizes in destroy_buffers()

avcodec/sanm: Reset sizes in destroy_buffers()

Fixes crash in 1288a2fe8e9ae6b00ca40e089d08ca65_signal_sigsegv_7ffff71426a7_354_accident.san with allocation limit 65536

Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-6822.patch

avcodec/mpegvideo: Clear pointers in ff_mpv_common_init()

avcodec/mpegvideo: Clear pointers in ff_mpv_common_init()

This ensures that no stale pointers leak through on any path

Fixes: signal_sigsegv_c3097a_991_xtrem_e2_m64q15_a32sxx.3gp
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2015-6821.patch

avcodec/aacsbr: check that the element type matches before applying SBR

avcodec/aacsbr: check that the element type matches before applying SBR

Fixes out of array access
Fixes: signal_sigsegv_3670fc0_2818_cov_2307326154_moon.mux
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2015-6820.patch

avcodec/pngdec: Only allow one IHDR chunk

avcodec/pngdec: Only allow one IHDR chunk

Multiple IHDR chunks are forbidden in PNG
Fixes inconsistency and out of array accesses

Fixes: asan_heap-oob_4d5c5a_1738_cov_2638287726_c-m2-8f2b481b7fd9bd745e620b7c01a18df2.png
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2015-6818.patch

avcodec/pngdec: Check IHDR/IDAT order

avcodec/pngdec: Check IHDR/IDAT order

Fixes out of array access
Fixes: asan_heap-oob_20a6c26_2690_cov_3434532168_mail.png
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
[sunweaver] - Port this commit to libav in Debian jessie.

Gbp-Pq: Name CVE-2014-9317.patch

avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup

avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup

The variable is not a constant and can lead to race conditions

Fixes: repro.webm (not reproducable with FFmpeg alone)
Found-by: Dale Curtis <dalecurtis@google.com>
Tested-by: Dale Curtis <dalecurtis@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-6761.patch

disable-configuration-warnings

Gbp-Pq: Name 03-disable-configuration-warnings.patch

configure-disable-ebx-gcc-4.9

Gbp-Pq: Name 02-configure-disable-ebx-gcc-4.9.patch

libav (6:11.12-1~deb8u9) jessie-security; urgency=high

  * Non-maintainer upload by the LTS Security Team.
  * CVE-2019-17542: heap-based buffer overflow in vqa_decode_chunk because
    of an out-of-array access in vqa_decode_init in libavcodec/vqavideo.c.
  * CVE-2019-14443: division by zero in range_decode_culshift in
    libavcodec/apedec.c allows remote attackers to cause a denial of
    service (application crash), as demonstrated by avconv.
  * CVE-2018-19128: heap-based buffer over-read in decode_frame in
    libavcodec/lcldec.c that allows an attacker to cause denial-of-service
    via a crafted avi file.
  * CVE-2017-17127: the vc1_decode_frame function in libavcodec/vc1dec.c
    allows remote attackers to cause a denial of service (NULL pointer
    dereference and application crash) via a crafted file.
    CVE-2018-19130 is a duplicate of this vulnerability.
  * CVE-2017-18245: the mpc8_probe function in libavformat/mpc8.c allows
    remote attackers to cause a denial of service (heap-based buffer
    over-read) via a crafted audio file on 32-bit systems.

[dgit import unpatched libav 6:11.12-1~deb8u9]

Import libav_11.12-1~deb8u9.debian.tar.xz

[dgit import tarball libav 6:11.12-1~deb8u9 libav_11.12-1~deb8u9.debian.tar.xz]

Import libav_11.12.orig.tar.xz

[dgit import orig libav_11.12.orig.tar.xz]