Hello community,
here is the log from the commit of package ffmpeg for openSUSE:Factory checked
in at 2017-09-07 22:12:07
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ffmpeg (Old)
and /work/SRC/openSUSE:Factory/.ffmpeg.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ffmpeg"
Thu Sep 7 22:12:07 2017 rev:33 rq:521951 version:3.3.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/ffmpeg/ffmpeg.changes 2017-08-29
11:42:19.571163587 +0200
+++ /work/SRC/openSUSE:Factory/.ffmpeg.new/ffmpeg.changes 2017-09-07
22:12:40.215574850 +0200
@@ -1,0 +2,32 @@
+Thu Sep 7 08:33:20 UTC 2017 - jeng...@inai.de
+
+- Add 0001-avformat-nsvdec-Fix-DoS-due-to-lack-of-eof-check-in-.patch
+ [CVE-2017-14171] [boo#1057539],
+ 0002-avformat-mxfdec-Fix-DoS-issues-in-mxf_read_index_ent.patch
+ [CVE-2017-14170] [boo#1057537],
+ 0003-avformat-mxfdec-Fix-Sign-error-in-mxf_read_primer_pa.patch
+ [CVE-2017-14169] [boo#1057536]
+
+-------------------------------------------------------------------
+Mon Sep 4 20:19:07 UTC 2017 - jeng...@inai.de
+
+- Add 0001-avformat-hls-Fix-DoS-due-to-infinite-loop.patch
+ [CVE-2017-14058] [boo#1056762],
+ 0002-avformat-asfdec-Fix-DoS-due-to-lack-of-eof-check.patch
+ [CVE-2017-14057] [boo#1056761],
+ 0003-avformat-cinedec-Fix-DoS-due-to-lack-of-eof-check.patch
+ [CVE-2017-14059] [boo#1056763],
+ 0004-avformat-rmdec-Fix-DoS-due-to-lack-of-eof-check.patch
+ [CVE-2017-14054] [boo#1056765],
+ 0005-avformat-rl2-Fix-DoS-due-to-lack-of-eof-check.patch
+ (code not enabled in openSUSE, though in packman)
+ [CVE-2017-14056] [boo#1056760],
+ 0006-avformat-mvdec-Fix-DoS-due-to-lack-of-eof-check.patch
+ [CVE-2017-14055] [boo#1056766]
+
+-------------------------------------------------------------------
+Sat Aug 26 14:56:44 UTC 2017 - jeng...@inai.de
+
+- Unconditionalize celt, ass, openjpeg, webp, netcdf, libva, vdpau.
+
+-------------------------------------------------------------------
New:
----
0001-avformat-hls-Fix-DoS-due-to-infinite-loop.patch
0001-avformat-nsvdec-Fix-DoS-due-to-lack-of-eof-check-in-.patch
0002-avformat-asfdec-Fix-DoS-due-to-lack-of-eof-check.patch
0002-avformat-mxfdec-Fix-DoS-issues-in-mxf_read_index_ent.patch
0003-avformat-cinedec-Fix-DoS-due-to-lack-of-eof-check.patch
0003-avformat-mxfdec-Fix-Sign-error-in-mxf_read_primer_pa.patch
0004-avformat-rmdec-Fix-DoS-due-to-lack-of-eof-check.patch
0005-avformat-rl2-Fix-DoS-due-to-lack-of-eof-check.patch
0006-avformat-mvdec-Fix-DoS-due-to-lack-of-eof-check.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ffmpeg.spec ++++++
--- /var/tmp/diff_new_pack.P8F3ZP/_old 2017-09-07 22:12:42.183297532 +0200
+++ /var/tmp/diff_new_pack.P8F3ZP/_new 2017-09-07 22:12:42.183297532 +0200
@@ -28,13 +28,6 @@
%bcond_with x265
%bcond_with xvid
%bcond_with opencore
-%bcond_without celt
-%bcond_without libass
-%bcond_without libva
-%bcond_without netcdf
-%bcond_without openjpeg
-%bcond_without vdpau
-%bcond_without webp
Name: ffmpeg
Version: 3.3.3
@@ -57,44 +50,41 @@
Patch3: ffmpeg-pkgconfig-version.patch
Patch4: ffmpeg-new-coder-errors.diff
Patch5: ffmpeg-codec-choice.diff
+Patch6: 0001-avformat-hls-Fix-DoS-due-to-infinite-loop.patch
+Patch7: 0002-avformat-asfdec-Fix-DoS-due-to-lack-of-eof-check.patch
+Patch8: 0003-avformat-cinedec-Fix-DoS-due-to-lack-of-eof-check.patch
+Patch9: 0004-avformat-rmdec-Fix-DoS-due-to-lack-of-eof-check.patch
+Patch10: 0005-avformat-rl2-Fix-DoS-due-to-lack-of-eof-check.patch
+Patch11: 0006-avformat-mvdec-Fix-DoS-due-to-lack-of-eof-check.patch
+Patch12: 0001-avformat-nsvdec-Fix-DoS-due-to-lack-of-eof-check-in-.patch
+Patch13: 0002-avformat-mxfdec-Fix-DoS-issues-in-mxf_read_index_ent.patch
+Patch14: 0003-avformat-mxfdec-Fix-Sign-error-in-mxf_read_primer_pa.patch
BuildRequires: ladspa-devel
BuildRequires: libgsm-devel
+BuildRequires: libmp3lame-devel
BuildRequires: pkg-config
BuildRequires: yasm
BuildRequires: pkgconfig(alsa)
BuildRequires: pkgconfig(bzip2)
-%if %{with celt}
BuildRequires: pkgconfig(celt) >= 0.11.0
-%endif
-BuildRequires: libmp3lame-devel
BuildRequires: pkgconfig(enca)
BuildRequires: pkgconfig(fontconfig) >= 2.4.2
BuildRequires: pkgconfig(freetype2)
BuildRequires: pkgconfig(fribidi) >= 0.19.0
BuildRequires: pkgconfig(gnutls)
BuildRequires: pkgconfig(jack)
-%if %{with libass}
BuildRequires: pkgconfig(libass)
-%endif
BuildRequires: pkgconfig(libbluray)
BuildRequires: pkgconfig(libcdio)
BuildRequires: pkgconfig(libcdio_paranoia)
BuildRequires: pkgconfig(libdc1394-2)
BuildRequires: pkgconfig(liboil-0.3) >= 0.3.15
-%if %{with openjpeg}
BuildRequires: pkgconfig(libopenjpeg)
-%endif
BuildRequires: pkgconfig(libpulse)
BuildRequires: pkgconfig(libraw1394)
-%if %{with libva}
BuildRequires: pkgconfig(libva) >= 0.35.0
-%endif
-%if %{with webp}
BuildRequires: pkgconfig(libwebp) >= 0.4
-%endif
-%if %{with netcdf}
BuildRequires: pkgconfig(netcdf)
-%endif
BuildRequires: pkgconfig(ogg)
BuildRequires: pkgconfig(opus)
BuildRequires: pkgconfig(schroedinger-1.0)
@@ -102,9 +92,7 @@
BuildRequires: pkgconfig(speex)
BuildRequires: pkgconfig(theora) >= 1.1
BuildRequires: pkgconfig(twolame)
-%if %{with vdpau}
BuildRequires: pkgconfig(vdpau)
-%endif
BuildRequires: pkgconfig(vorbis)
BuildRequires: pkgconfig(vpx) >= 1.3.0
BuildRequires: pkgconfig(x11)
@@ -414,7 +402,8 @@
%prep
%setup -q
-%patch -P 1 -P 2 -P 3 -P 4 -P 5 -p1
+%patch -P 1 -P 2 -P 3 -P 4 -P 5 -P 6 -P 7 -P 8 -P 9 -P 10 -p1
+%patch -P 11 -P 12 -P 13 -P 14 -p1
%build
perl -i -pe 's{__TIME__|__DATE__}{"$&"}g' *.c
@@ -437,50 +426,36 @@
--disable-cuda \
--disable-cuvid \
%endif
-%if %{with libass}
--enable-libass \
-%endif
--enable-libbluray \
-%if %{with celt}
--enable-libcelt \
-%endif
--enable-libcdio \
--enable-libdc1394 \
--enable-libfreetype \
--enable-libgsm \
-%if %{with openjpeg}
+ --enable-libmp3lame \
--enable-libopenjpeg \
-%endif
--enable-libopus \
--enable-libpulse \
--enable-libschroedinger \
--enable-libspeex \
--enable-libtheora \
+ --enable-libtwolame \
--enable-libvorbis \
--enable-libvpx \
-%if %{with webp}
--enable-libwebp \
-%endif
-%if %{with netcdf}
--enable-netcdf \
-%endif
-%if %{with libva}
--enable-vaapi \
-%endif
-%if %{with vdpau}
--enable-vdpau \
-%endif
%if 0%{?BUILD_ORIG}
%if %{with fdk_aac}
--enable-libfdk_aac --enable-nonfree \
%endif
- --enable-libmp3lame \
%if %{with opencore}
--enable-libopencore-amrnb \
--enable-libopencore-amrwb \
--enable-version3 \
%endif
- --enable-libtwolame \
%if %{with x264}
--enable-libx264 \
%endif
++++++ 0001-avformat-hls-Fix-DoS-due-to-infinite-loop.patch ++++++
>From 7ec414892ddcad88313848494b6fc5f437c9ca4a Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <mich...@niedermayer.cc>
Date: Sat, 26 Aug 2017 01:26:58 +0200
Subject: [PATCH 1/6] avformat/hls: Fix DoS due to infinite loop
Fixes: loop.m3u
The default max iteration count of 1000 is arbitrary and ideas for a better
solution are welcome
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Previous version reviewed-by: Steven Liu <lingjiujia...@gmail.com>
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
doc/demuxers.texi | 18 ++++++++++++++++++
libavformat/hls.c | 7 +++++++
2 files changed, 25 insertions(+)
diff --git a/doc/demuxers.texi b/doc/demuxers.texi
index 29a23d48b2..73dc0feec1 100644
--- a/doc/demuxers.texi
+++ b/doc/demuxers.texi
@@ -300,6 +300,24 @@ used to end the output video at the length of the shortest
input file,
which in this case is @file{input.mp4} as the GIF in this example loops
infinitely.
+@section hls
+
+HLS demuxer
+
+It accepts the following options:
+
+@table @option
+@item live_start_index
+segment index to start live streams at (negative values are from the end).
+
+@item allowed_extensions
+',' separated list of file extensions that hls is allowed to access.
+
+@item max_reload
+Maximum number of times a insufficient list is attempted to be reloaded.
+Default value is 1000.
+@end table
+
@section image2
Image file demuxer.
diff --git a/libavformat/hls.c b/libavformat/hls.c
index 01731bd36b..0995345bbf 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -205,6 +205,7 @@ typedef struct HLSContext {
AVDictionary *avio_opts;
int strict_std_compliance;
char *allowed_extensions;
+ int max_reload;
} HLSContext;
static int read_chomp_line(AVIOContext *s, char *buf, int maxlen)
@@ -1263,6 +1264,7 @@ static int read_data(void *opaque, uint8_t *buf, int
buf_size)
HLSContext *c = v->parent->priv_data;
int ret, i;
int just_opened = 0;
+ int reload_count = 0;
restart:
if (!v->needed)
@@ -1294,6 +1296,9 @@ restart:
reload_interval = default_reload_interval(v);
reload:
+ reload_count++;
+ if (reload_count > c->max_reload)
+ return AVERROR_EOF;
if (!v->finished &&
av_gettime_relative() - v->last_load_time >= reload_interval) {
if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) {
@@ -2150,6 +2155,8 @@ static const AVOption hls_options[] = {
OFFSET(allowed_extensions), AV_OPT_TYPE_STRING,
{.str =
"3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
INT_MIN, INT_MAX, FLAGS},
+ {"max_reload", "Maximum number of times a insufficient list is attempted
to be reloaded",
+ OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS},
{NULL}
};
--
2.14.1
++++++ 0001-avformat-nsvdec-Fix-DoS-due-to-lack-of-eof-check-in-.patch ++++++
>From c24bcb553650b91e9eff15ef6e54ca73de2453b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?=
<tony...@alibaba-inc.com>
Date: Tue, 29 Aug 2017 23:59:21 +0200
Subject: [PATCH 1/3] avformat/nsvdec: Fix DoS due to lack of eof check in
nsvs_file_offset loop.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: 20170829.nsv
Co-Author: 张洪亮(望初)" <wangchu....@alibaba-inc.com>
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavformat/nsvdec.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c
index c6ddb67bbd..d8ce656817 100644
--- a/libavformat/nsvdec.c
+++ b/libavformat/nsvdec.c
@@ -335,8 +335,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s)
if (!nsv->nsvs_file_offset)
return AVERROR(ENOMEM);
- for(i=0;i<table_entries_used;i++)
+ for(i=0;i<table_entries_used;i++) {
+ if (avio_feof(pb))
+ return AVERROR_INVALIDDATA;
nsv->nsvs_file_offset[i] = avio_rl32(pb) + size;
+ }
if(table_entries > table_entries_used &&
avio_rl32(pb) == MKTAG('T','O','C','2')) {
--
2.14.1
++++++ 0002-avformat-asfdec-Fix-DoS-due-to-lack-of-eof-check.patch ++++++
>From 7f9ec5593e04827249e7aeb466da06a98a0d7329 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
=?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu....@alibaba-inc.com>
Date: Fri, 25 Aug 2017 12:37:25 +0200
Subject: [PATCH 2/6] avformat/asfdec: Fix DoS due to lack of eof check
Fixes: loop.asf
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavformat/asfdec_f.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index be09a92bd1..f3acbae280 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -749,13 +749,15 @@ static int asf_read_marker(AVFormatContext *s, int64_t
size)
count = avio_rl32(pb); // markers count
avio_rl16(pb); // reserved 2 bytes
name_len = avio_rl16(pb); // name length
- for (i = 0; i < name_len; i++)
- avio_r8(pb); // skip the name
+ avio_skip(pb, name_len);
for (i = 0; i < count; i++) {
int64_t pres_time;
int name_len;
+ if (avio_feof(pb))
+ return AVERROR_INVALIDDATA;
+
avio_rl64(pb); // offset, 8 bytes
pres_time = avio_rl64(pb); // presentation time
pres_time -= asf->hdr.preroll * 10000;
--
2.14.1
++++++ 0002-avformat-mxfdec-Fix-DoS-issues-in-mxf_read_index_ent.patch ++++++
>From 900f39692ca0337a98a7cf047e4e2611071810c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?=
<tony...@alibaba-inc.com>
Date: Tue, 29 Aug 2017 23:59:21 +0200
Subject: [PATCH 2/3] avformat/mxfdec: Fix DoS issues in
mxf_read_index_entry_array()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: 20170829A.mxf
Co-Author: 张洪亮(望初)" <wangchu....@alibaba-inc.com>
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavformat/mxfdec.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index f8d0f9e057..6adb77d81f 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -899,6 +899,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb,
MXFIndexTableSegment *seg
segment->nb_index_entries = avio_rb32(pb);
length = avio_rb32(pb);
+ if(segment->nb_index_entries && length < 11)
+ return AVERROR_INVALIDDATA;
if
(!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries,
sizeof(*segment->temporal_offset_entries))) ||
!(segment->flag_entries =
av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) ||
@@ -909,6 +911,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb,
MXFIndexTableSegment *seg
}
for (i = 0; i < segment->nb_index_entries; i++) {
+ if(avio_feof(pb))
+ return AVERROR_INVALIDDATA;
segment->temporal_offset_entries[i] = avio_r8(pb);
avio_r8(pb); /* KeyFrameOffset
*/
segment->flag_entries[i] = avio_r8(pb);
--
2.14.1
++++++ 0003-avformat-cinedec-Fix-DoS-due-to-lack-of-eof-check.patch ++++++
>From 7e80b63ecd259d69d383623e75b318bf2bd491f6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
=?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu....@alibaba-inc.com>
Date: Fri, 25 Aug 2017 01:15:27 +0200
Subject: [PATCH 3/6] avformat/cinedec: Fix DoS due to lack of eof check
Fixes: loop.cine
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavformat/cinedec.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c
index 763b93ba2e..de34fb9638 100644
--- a/libavformat/cinedec.c
+++ b/libavformat/cinedec.c
@@ -267,8 +267,12 @@ static int cine_read_header(AVFormatContext *avctx)
/* parse image offsets */
avio_seek(pb, offImageOffsets, SEEK_SET);
- for (i = 0; i < st->duration; i++)
+ for (i = 0; i < st->duration; i++) {
+ if (avio_feof(pb))
+ return AVERROR_INVALIDDATA;
+
av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME);
+ }
return 0;
}
--
2.14.1
++++++ 0003-avformat-mxfdec-Fix-Sign-error-in-mxf_read_primer_pa.patch ++++++
>From 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?=
<tony...@alibaba-inc.com>
Date: Tue, 29 Aug 2017 23:59:21 +0200
Subject: [PATCH 3/3] avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: 20170829B.mxf
Co-Author: 张洪亮(望初)" <wangchu....@alibaba-inc.com>
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavformat/mxfdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 6adb77d81f..91731a7533 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -500,7 +500,7 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb,
int tag, int size, U
avpriv_request_sample(pb, "Primer pack item length %d", item_len);
return AVERROR_PATCHWELCOME;
}
- if (item_num > 65536) {
+ if (item_num > 65536 || item_num < 0) {
av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num);
return AVERROR_INVALIDDATA;
}
--
2.14.1
++++++ 0004-avformat-rmdec-Fix-DoS-due-to-lack-of-eof-check.patch ++++++
>From 124eb202e70678539544f6268efc98131f19fa49 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
=?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu....@alibaba-inc.com>
Date: Fri, 25 Aug 2017 01:15:28 +0200
Subject: [PATCH 4/6] avformat/rmdec: Fix DoS due to lack of eof check
Fixes: loop.ivr
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavformat/rmdec.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index 178eaea57d..d6d7d9cd84 100644
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -1223,8 +1223,11 @@ static int ivr_read_header(AVFormatContext *s)
av_log(s, AV_LOG_DEBUG, "%s = '%s'\n", key, val);
} else if (type == 4) {
av_log(s, AV_LOG_DEBUG, "%s = '0x", key);
- for (j = 0; j < len; j++)
+ for (j = 0; j < len; j++) {
+ if (avio_feof(pb))
+ return AVERROR_INVALIDDATA;
av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb));
+ }
av_log(s, AV_LOG_DEBUG, "'\n");
} else if (len == 4 && type == 3 && !strncmp(key, "StreamCount",
tlen)) {
nb_streams = value = avio_rb32(pb);
--
2.14.1
++++++ 0005-avformat-rl2-Fix-DoS-due-to-lack-of-eof-check.patch ++++++
>From 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
=?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu....@alibaba-inc.com>
Date: Fri, 25 Aug 2017 01:15:29 +0200
Subject: [PATCH 5/6] avformat/rl2: Fix DoS due to lack of eof check
Fixes: loop.rl2
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavformat/rl2.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/libavformat/rl2.c b/libavformat/rl2.c
index 0bec8f1d9a..eb1682dfcb 100644
--- a/libavformat/rl2.c
+++ b/libavformat/rl2.c
@@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s)
}
/** read offset and size tables */
- for(i=0; i < frame_count;i++)
+ for(i=0; i < frame_count;i++) {
+ if (avio_feof(pb))
+ return AVERROR_INVALIDDATA;
chunk_size[i] = avio_rl32(pb);
- for(i=0; i < frame_count;i++)
+ }
+ for(i=0; i < frame_count;i++) {
+ if (avio_feof(pb))
+ return AVERROR_INVALIDDATA;
chunk_offset[i] = avio_rl32(pb);
- for(i=0; i < frame_count;i++)
+ }
+ for(i=0; i < frame_count;i++) {
+ if (avio_feof(pb))
+ return AVERROR_INVALIDDATA;
audio_size[i] = avio_rl32(pb) & 0xFFFF;
+ }
/** build the sample index */
for(i=0;i<frame_count;i++){
--
2.14.1
++++++ 0006-avformat-mvdec-Fix-DoS-due-to-lack-of-eof-check.patch ++++++
>From 4f05e2e2dc1a89f38cd9f0960a6561083d714f1e Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <mich...@niedermayer.cc>
Date: Fri, 25 Aug 2017 01:15:30 +0200
Subject: [PATCH 6/6] avformat/mvdec: Fix DoS due to lack of eof check
Fixes: loop.mv
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavformat/mvdec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
index 0e12c8c6c1..f7aa4cbaec 100644
--- a/libavformat/mvdec.c
+++ b/libavformat/mvdec.c
@@ -342,6 +342,8 @@ static int mv_read_header(AVFormatContext *avctx)
uint32_t pos = avio_rb32(pb);
uint32_t asize = avio_rb32(pb);
uint32_t vsize = avio_rb32(pb);
+ if (avio_feof(pb))
+ return AVERROR_INVALIDDATA;
avio_skip(pb, 8);
av_add_index_entry(ast, pos, timestamp, asize, 0,
AVINDEX_KEYFRAME);
av_add_index_entry(vst, pos + asize, i, vsize, 0,
AVINDEX_KEYFRAME);
--
2.14.1
++++++ enable_decoders ++++++
--- /var/tmp/diff_new_pack.P8F3ZP/_old 2017-09-07 22:12:42.283283441 +0200
+++ /var/tmp/diff_new_pack.P8F3ZP/_new 2017-09-07 22:12:42.287282877 +0200
@@ -23,12 +23,15 @@
libvpx_vp8
libvpx_vp9
mjpeg # mjpegtools
-#mpeg1video # libav
-#mpeg2video # libav
-#mpeg4 # libav
-mp1
+#mpeg1video
+#mpeg2video
+#mpeg4
+mp1 # twolame/lame
+mp1float # twolame/lame
mp2 # twolame
+mp2float # twolame
mp3 # lame
+mp3float # lame
opus # libopus
pam # trivial
pbm # trivial
++++++ enable_encoders ++++++
--- /var/tmp/diff_new_pack.P8F3ZP/_old 2017-09-07 22:12:42.311279495 +0200
+++ /var/tmp/diff_new_pack.P8F3ZP/_new 2017-09-07 22:12:42.315278931 +0200
@@ -9,20 +9,21 @@
huffyuv # trivial+zlib
jpegls
libgsm
+libmp3lame
libopenjpeg
libopus
libschroedinger
libspeex
libtheora
+libtwolame
libvorbis
libvpx_vp8
libvpx_vp9
libwebp
libwebp_anim
-mjpeg
-mp1
+mjpeg # mjpegtools
mp2 # twolame
-mp3 # lame
+mp2fixed # twolame
pam
pbm
pcm_alaw
