Hello community, here is the log from the commit of package ffmpeg for openSUSE:Factory checked in at 2017-07-23 12:13:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ffmpeg (Old) and /work/SRC/openSUSE:Factory/.ffmpeg.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ffmpeg" Sun Jul 23 12:13:11 2017 rev:30 rq:511228 version:3.3.2 Changes: -------- --- /work/SRC/openSUSE:Factory/ffmpeg/ffmpeg.changes 2017-07-02 13:37:05.464259837 +0200 +++ /work/SRC/openSUSE:Factory/.ffmpeg.new/ffmpeg.changes 2017-07-23 12:13:34.826689709 +0200 @@ -1,0 +2,6 @@ +Tue Jul 18 08:47:03 UTC 2017 - [email protected] + +- Add 0001-avcodec-apedec-Fix-integer-overflow.patch + to address CVE-2017-11399 [boo#1049095] + +------------------------------------------------------------------- New: ---- 0001-avcodec-apedec-Fix-integer-overflow.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ffmpeg.spec ++++++ --- /var/tmp/diff_new_pack.uEBKc8/_old 2017-07-23 12:13:35.570584628 +0200 +++ /var/tmp/diff_new_pack.uEBKc8/_new 2017-07-23 12:13:35.570584628 +0200 @@ -59,6 +59,7 @@ Patch3: ffmpeg-pkgconfig-version.patch Patch4: ffmpeg-new-coder-errors.diff Patch5: ffmpeg-codec-choice.diff +Patch6: 0001-avcodec-apedec-Fix-integer-overflow.patch BuildRequires: ladspa-devel BuildRequires: libgsm-devel BuildRequires: pkg-config @@ -420,7 +421,7 @@ %prep %setup -q -%patch -P 1 -P 2 -P 3 -P 4 -P 5 -p1 +%patch -P 1 -P 2 -P 3 -P 4 -P 5 -P 6 -p1 %build perl -i -pe 's{__TIME__|__DATE__}{"$&"}g' *.c ++++++ 0001-avcodec-apedec-Fix-integer-overflow.patch ++++++ >From ba4beaf6149f7241c8bd85fe853318c2f6837ad0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Sun, 16 Jul 2017 14:57:20 +0200 Subject: [PATCH] avcodec/apedec: Fix integer overflow Fixes: out of array access Fixes: PoC.ape and others Found-by: Bingchang, Liu@VARAS of IIE Signed-off-by: Michael Niedermayer <[email protected]> References: CVE-2017-11399 References: http://bugzilla.opensuse.org/1049095 --- libavcodec/apedec.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index a6b14b8e24..15eb416ba4 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1412,6 +1412,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, int32_t *sample24; int i, ch, ret; int blockstodecode; + uint64_t decoded_buffer_size; /* this should never be negative, but bad things will happen if it is, so check it just to make sure. */ @@ -1467,7 +1468,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, skip_bits_long(&s->gb, offset); } - if (!nblocks || nblocks > INT_MAX) { + if (!nblocks || nblocks > INT_MAX / 2 / sizeof(*s->decoded_buffer) - 8) { av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %"PRIu32".\n", nblocks); return AVERROR_INVALIDDATA; @@ -1493,8 +1494,9 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, blockstodecode = s->samples; /* reallocate decoded sample buffer if needed */ - av_fast_malloc(&s->decoded_buffer, &s->decoded_size, - 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer)); + decoded_buffer_size = 2LL * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer); + av_assert0(decoded_buffer_size <= INT_MAX); + av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size); if (!s->decoded_buffer) return AVERROR(ENOMEM); memset(s->decoded_buffer, 0, s->decoded_size); -- 2.13.2
