Hello community, here is the log from the commit of package ffmpeg for openSUSE:Factory checked in at 2017-09-07 22:12:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ffmpeg (Old) and /work/SRC/openSUSE:Factory/.ffmpeg.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ffmpeg" Thu Sep 7 22:12:07 2017 rev:33 rq:521951 version:3.3.3 Changes: -------- --- /work/SRC/openSUSE:Factory/ffmpeg/ffmpeg.changes 2017-08-29 11:42:19.571163587 +0200 +++ /work/SRC/openSUSE:Factory/.ffmpeg.new/ffmpeg.changes 2017-09-07 22:12:40.215574850 +0200 @@ -1,0 +2,32 @@ +Thu Sep 7 08:33:20 UTC 2017 - jeng...@inai.de + +- Add 0001-avformat-nsvdec-Fix-DoS-due-to-lack-of-eof-check-in-.patch + [CVE-2017-14171] [boo#1057539], + 0002-avformat-mxfdec-Fix-DoS-issues-in-mxf_read_index_ent.patch + [CVE-2017-14170] [boo#1057537], + 0003-avformat-mxfdec-Fix-Sign-error-in-mxf_read_primer_pa.patch + [CVE-2017-14169] [boo#1057536] + +------------------------------------------------------------------- +Mon Sep 4 20:19:07 UTC 2017 - jeng...@inai.de + +- Add 0001-avformat-hls-Fix-DoS-due-to-infinite-loop.patch + [CVE-2017-14058] [boo#1056762], + 0002-avformat-asfdec-Fix-DoS-due-to-lack-of-eof-check.patch + [CVE-2017-14057] [boo#1056761], + 0003-avformat-cinedec-Fix-DoS-due-to-lack-of-eof-check.patch + [CVE-2017-14059] [boo#1056763], + 0004-avformat-rmdec-Fix-DoS-due-to-lack-of-eof-check.patch + [CVE-2017-14054] [boo#1056765], + 0005-avformat-rl2-Fix-DoS-due-to-lack-of-eof-check.patch + (code not enabled in openSUSE, though in packman) + [CVE-2017-14056] [boo#1056760], + 0006-avformat-mvdec-Fix-DoS-due-to-lack-of-eof-check.patch + [CVE-2017-14055] [boo#1056766] + +------------------------------------------------------------------- +Sat Aug 26 14:56:44 UTC 2017 - jeng...@inai.de + +- Unconditionalize celt, ass, openjpeg, webp, netcdf, libva, vdpau. + +------------------------------------------------------------------- New: ---- 0001-avformat-hls-Fix-DoS-due-to-infinite-loop.patch 0001-avformat-nsvdec-Fix-DoS-due-to-lack-of-eof-check-in-.patch 0002-avformat-asfdec-Fix-DoS-due-to-lack-of-eof-check.patch 0002-avformat-mxfdec-Fix-DoS-issues-in-mxf_read_index_ent.patch 0003-avformat-cinedec-Fix-DoS-due-to-lack-of-eof-check.patch 0003-avformat-mxfdec-Fix-Sign-error-in-mxf_read_primer_pa.patch 0004-avformat-rmdec-Fix-DoS-due-to-lack-of-eof-check.patch 0005-avformat-rl2-Fix-DoS-due-to-lack-of-eof-check.patch 0006-avformat-mvdec-Fix-DoS-due-to-lack-of-eof-check.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ffmpeg.spec ++++++ --- /var/tmp/diff_new_pack.P8F3ZP/_old 2017-09-07 22:12:42.183297532 +0200 +++ /var/tmp/diff_new_pack.P8F3ZP/_new 2017-09-07 22:12:42.183297532 +0200 @@ -28,13 +28,6 @@ %bcond_with x265 %bcond_with xvid %bcond_with opencore -%bcond_without celt -%bcond_without libass -%bcond_without libva -%bcond_without netcdf -%bcond_without openjpeg -%bcond_without vdpau -%bcond_without webp Name: ffmpeg Version: 3.3.3 @@ -57,44 +50,41 @@ Patch3: ffmpeg-pkgconfig-version.patch Patch4: ffmpeg-new-coder-errors.diff Patch5: ffmpeg-codec-choice.diff +Patch6: 0001-avformat-hls-Fix-DoS-due-to-infinite-loop.patch +Patch7: 0002-avformat-asfdec-Fix-DoS-due-to-lack-of-eof-check.patch +Patch8: 0003-avformat-cinedec-Fix-DoS-due-to-lack-of-eof-check.patch +Patch9: 0004-avformat-rmdec-Fix-DoS-due-to-lack-of-eof-check.patch +Patch10: 0005-avformat-rl2-Fix-DoS-due-to-lack-of-eof-check.patch +Patch11: 0006-avformat-mvdec-Fix-DoS-due-to-lack-of-eof-check.patch +Patch12: 0001-avformat-nsvdec-Fix-DoS-due-to-lack-of-eof-check-in-.patch +Patch13: 0002-avformat-mxfdec-Fix-DoS-issues-in-mxf_read_index_ent.patch +Patch14: 0003-avformat-mxfdec-Fix-Sign-error-in-mxf_read_primer_pa.patch BuildRequires: ladspa-devel BuildRequires: libgsm-devel +BuildRequires: libmp3lame-devel BuildRequires: pkg-config BuildRequires: yasm BuildRequires: pkgconfig(alsa) BuildRequires: pkgconfig(bzip2) -%if %{with celt} BuildRequires: pkgconfig(celt) >= 0.11.0 -%endif -BuildRequires: libmp3lame-devel BuildRequires: pkgconfig(enca) BuildRequires: pkgconfig(fontconfig) >= 2.4.2 BuildRequires: pkgconfig(freetype2) BuildRequires: pkgconfig(fribidi) >= 0.19.0 BuildRequires: pkgconfig(gnutls) BuildRequires: pkgconfig(jack) -%if %{with libass} BuildRequires: pkgconfig(libass) -%endif BuildRequires: pkgconfig(libbluray) BuildRequires: pkgconfig(libcdio) BuildRequires: pkgconfig(libcdio_paranoia) BuildRequires: pkgconfig(libdc1394-2) BuildRequires: pkgconfig(liboil-0.3) >= 0.3.15 -%if %{with openjpeg} BuildRequires: pkgconfig(libopenjpeg) -%endif BuildRequires: pkgconfig(libpulse) BuildRequires: pkgconfig(libraw1394) -%if %{with libva} BuildRequires: pkgconfig(libva) >= 0.35.0 -%endif -%if %{with webp} BuildRequires: pkgconfig(libwebp) >= 0.4 -%endif -%if %{with netcdf} BuildRequires: pkgconfig(netcdf) -%endif BuildRequires: pkgconfig(ogg) BuildRequires: pkgconfig(opus) BuildRequires: pkgconfig(schroedinger-1.0) @@ -102,9 +92,7 @@ BuildRequires: pkgconfig(speex) BuildRequires: pkgconfig(theora) >= 1.1 BuildRequires: pkgconfig(twolame) -%if %{with vdpau} BuildRequires: pkgconfig(vdpau) -%endif BuildRequires: pkgconfig(vorbis) BuildRequires: pkgconfig(vpx) >= 1.3.0 BuildRequires: pkgconfig(x11) @@ -414,7 +402,8 @@ %prep %setup -q -%patch -P 1 -P 2 -P 3 -P 4 -P 5 -p1 +%patch -P 1 -P 2 -P 3 -P 4 -P 5 -P 6 -P 7 -P 8 -P 9 -P 10 -p1 +%patch -P 11 -P 12 -P 13 -P 14 -p1 %build perl -i -pe 's{__TIME__|__DATE__}{"$&"}g' *.c @@ -437,50 +426,36 @@ --disable-cuda \ --disable-cuvid \ %endif -%if %{with libass} --enable-libass \ -%endif --enable-libbluray \ -%if %{with celt} --enable-libcelt \ -%endif --enable-libcdio \ --enable-libdc1394 \ --enable-libfreetype \ --enable-libgsm \ -%if %{with openjpeg} + --enable-libmp3lame \ --enable-libopenjpeg \ -%endif --enable-libopus \ --enable-libpulse \ --enable-libschroedinger \ --enable-libspeex \ --enable-libtheora \ + --enable-libtwolame \ --enable-libvorbis \ --enable-libvpx \ -%if %{with webp} --enable-libwebp \ -%endif -%if %{with netcdf} --enable-netcdf \ -%endif -%if %{with libva} --enable-vaapi \ -%endif -%if %{with vdpau} --enable-vdpau \ -%endif %if 0%{?BUILD_ORIG} %if %{with fdk_aac} --enable-libfdk_aac --enable-nonfree \ %endif - --enable-libmp3lame \ %if %{with opencore} --enable-libopencore-amrnb \ --enable-libopencore-amrwb \ --enable-version3 \ %endif - --enable-libtwolame \ %if %{with x264} --enable-libx264 \ %endif ++++++ 0001-avformat-hls-Fix-DoS-due-to-infinite-loop.patch ++++++ >From 7ec414892ddcad88313848494b6fc5f437c9ca4a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <mich...@niedermayer.cc> Date: Sat, 26 Aug 2017 01:26:58 +0200 Subject: [PATCH 1/6] avformat/hls: Fix DoS due to infinite loop Fixes: loop.m3u The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome Found-by: Xiaohei and Wangchu from Alibaba Security Team Previous version reviewed-by: Steven Liu <lingjiujia...@gmail.com> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- doc/demuxers.texi | 18 ++++++++++++++++++ libavformat/hls.c | 7 +++++++ 2 files changed, 25 insertions(+) diff --git a/doc/demuxers.texi b/doc/demuxers.texi index 29a23d48b2..73dc0feec1 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -300,6 +300,24 @@ used to end the output video at the length of the shortest input file, which in this case is @file{input.mp4} as the GIF in this example loops infinitely. +@section hls + +HLS demuxer + +It accepts the following options: + +@table @option +@item live_start_index +segment index to start live streams at (negative values are from the end). + +@item allowed_extensions +',' separated list of file extensions that hls is allowed to access. + +@item max_reload +Maximum number of times a insufficient list is attempted to be reloaded. +Default value is 1000. +@end table + @section image2 Image file demuxer. diff --git a/libavformat/hls.c b/libavformat/hls.c index 01731bd36b..0995345bbf 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -205,6 +205,7 @@ typedef struct HLSContext { AVDictionary *avio_opts; int strict_std_compliance; char *allowed_extensions; + int max_reload; } HLSContext; static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) @@ -1263,6 +1264,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size) HLSContext *c = v->parent->priv_data; int ret, i; int just_opened = 0; + int reload_count = 0; restart: if (!v->needed) @@ -1294,6 +1296,9 @@ restart: reload_interval = default_reload_interval(v); reload: + reload_count++; + if (reload_count > c->max_reload) + return AVERROR_EOF; if (!v->finished && av_gettime_relative() - v->last_load_time >= reload_interval) { if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) { @@ -2150,6 +2155,8 @@ static const AVOption hls_options[] = { OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, INT_MIN, INT_MAX, FLAGS}, + {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", + OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, {NULL} }; -- 2.14.1 ++++++ 0001-avformat-nsvdec-Fix-DoS-due-to-lack-of-eof-check-in-.patch ++++++ >From c24bcb553650b91e9eff15ef6e54ca73de2453b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= <tony...@alibaba-inc.com> Date: Tue, 29 Aug 2017 23:59:21 +0200 Subject: [PATCH 1/3] avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 20170829.nsv Co-Author: 张洪亮(望初)" <wangchu....@alibaba-inc.com> Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavformat/nsvdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index c6ddb67bbd..d8ce656817 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -335,8 +335,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s) if (!nsv->nsvs_file_offset) return AVERROR(ENOMEM); - for(i=0;i<table_entries_used;i++) + for(i=0;i<table_entries_used;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; nsv->nsvs_file_offset[i] = avio_rl32(pb) + size; + } if(table_entries > table_entries_used && avio_rl32(pb) == MKTAG('T','O','C','2')) { -- 2.14.1 ++++++ 0002-avformat-asfdec-Fix-DoS-due-to-lack-of-eof-check.patch ++++++ >From 7f9ec5593e04827249e7aeb466da06a98a0d7329 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu....@alibaba-inc.com> Date: Fri, 25 Aug 2017 12:37:25 +0200 Subject: [PATCH 2/6] avformat/asfdec: Fix DoS due to lack of eof check Fixes: loop.asf Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavformat/asfdec_f.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index be09a92bd1..f3acbae280 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -749,13 +749,15 @@ static int asf_read_marker(AVFormatContext *s, int64_t size) count = avio_rl32(pb); // markers count avio_rl16(pb); // reserved 2 bytes name_len = avio_rl16(pb); // name length - for (i = 0; i < name_len; i++) - avio_r8(pb); // skip the name + avio_skip(pb, name_len); for (i = 0; i < count; i++) { int64_t pres_time; int name_len; + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + avio_rl64(pb); // offset, 8 bytes pres_time = avio_rl64(pb); // presentation time pres_time -= asf->hdr.preroll * 10000; -- 2.14.1 ++++++ 0002-avformat-mxfdec-Fix-DoS-issues-in-mxf_read_index_ent.patch ++++++ >From 900f39692ca0337a98a7cf047e4e2611071810c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= <tony...@alibaba-inc.com> Date: Tue, 29 Aug 2017 23:59:21 +0200 Subject: [PATCH 2/3] avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 20170829A.mxf Co-Author: 张洪亮(望初)" <wangchu....@alibaba-inc.com> Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavformat/mxfdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index f8d0f9e057..6adb77d81f 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -899,6 +899,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg segment->nb_index_entries = avio_rb32(pb); length = avio_rb32(pb); + if(segment->nb_index_entries && length < 11) + return AVERROR_INVALIDDATA; if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) || !(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) || @@ -909,6 +911,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg } for (i = 0; i < segment->nb_index_entries; i++) { + if(avio_feof(pb)) + return AVERROR_INVALIDDATA; segment->temporal_offset_entries[i] = avio_r8(pb); avio_r8(pb); /* KeyFrameOffset */ segment->flag_entries[i] = avio_r8(pb); -- 2.14.1 ++++++ 0003-avformat-cinedec-Fix-DoS-due-to-lack-of-eof-check.patch ++++++ >From 7e80b63ecd259d69d383623e75b318bf2bd491f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu....@alibaba-inc.com> Date: Fri, 25 Aug 2017 01:15:27 +0200 Subject: [PATCH 3/6] avformat/cinedec: Fix DoS due to lack of eof check Fixes: loop.cine Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavformat/cinedec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c index 763b93ba2e..de34fb9638 100644 --- a/libavformat/cinedec.c +++ b/libavformat/cinedec.c @@ -267,8 +267,12 @@ static int cine_read_header(AVFormatContext *avctx) /* parse image offsets */ avio_seek(pb, offImageOffsets, SEEK_SET); - for (i = 0; i < st->duration; i++) + for (i = 0; i < st->duration; i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME); + } return 0; } -- 2.14.1 ++++++ 0003-avformat-mxfdec-Fix-Sign-error-in-mxf_read_primer_pa.patch ++++++ >From 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= <tony...@alibaba-inc.com> Date: Tue, 29 Aug 2017 23:59:21 +0200 Subject: [PATCH 3/3] avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 20170829B.mxf Co-Author: 张洪亮(望初)" <wangchu....@alibaba-inc.com> Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 6adb77d81f..91731a7533 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -500,7 +500,7 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, int tag, int size, U avpriv_request_sample(pb, "Primer pack item length %d", item_len); return AVERROR_PATCHWELCOME; } - if (item_num > 65536) { + if (item_num > 65536 || item_num < 0) { av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num); return AVERROR_INVALIDDATA; } -- 2.14.1 ++++++ 0004-avformat-rmdec-Fix-DoS-due-to-lack-of-eof-check.patch ++++++ >From 124eb202e70678539544f6268efc98131f19fa49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu....@alibaba-inc.com> Date: Fri, 25 Aug 2017 01:15:28 +0200 Subject: [PATCH 4/6] avformat/rmdec: Fix DoS due to lack of eof check Fixes: loop.ivr Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavformat/rmdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 178eaea57d..d6d7d9cd84 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1223,8 +1223,11 @@ static int ivr_read_header(AVFormatContext *s) av_log(s, AV_LOG_DEBUG, "%s = '%s'\n", key, val); } else if (type == 4) { av_log(s, AV_LOG_DEBUG, "%s = '0x", key); - for (j = 0; j < len; j++) + for (j = 0; j < len; j++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb)); + } av_log(s, AV_LOG_DEBUG, "'\n"); } else if (len == 4 && type == 3 && !strncmp(key, "StreamCount", tlen)) { nb_streams = value = avio_rb32(pb); -- 2.14.1 ++++++ 0005-avformat-rl2-Fix-DoS-due-to-lack-of-eof-check.patch ++++++ >From 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu....@alibaba-inc.com> Date: Fri, 25 Aug 2017 01:15:29 +0200 Subject: [PATCH 5/6] avformat/rl2: Fix DoS due to lack of eof check Fixes: loop.rl2 Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavformat/rl2.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavformat/rl2.c b/libavformat/rl2.c index 0bec8f1d9a..eb1682dfcb 100644 --- a/libavformat/rl2.c +++ b/libavformat/rl2.c @@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s) } /** read offset and size tables */ - for(i=0; i < frame_count;i++) + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; chunk_size[i] = avio_rl32(pb); - for(i=0; i < frame_count;i++) + } + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; chunk_offset[i] = avio_rl32(pb); - for(i=0; i < frame_count;i++) + } + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; audio_size[i] = avio_rl32(pb) & 0xFFFF; + } /** build the sample index */ for(i=0;i<frame_count;i++){ -- 2.14.1 ++++++ 0006-avformat-mvdec-Fix-DoS-due-to-lack-of-eof-check.patch ++++++ >From 4f05e2e2dc1a89f38cd9f0960a6561083d714f1e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <mich...@niedermayer.cc> Date: Fri, 25 Aug 2017 01:15:30 +0200 Subject: [PATCH 6/6] avformat/mvdec: Fix DoS due to lack of eof check Fixes: loop.mv Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavformat/mvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 0e12c8c6c1..f7aa4cbaec 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -342,6 +342,8 @@ static int mv_read_header(AVFormatContext *avctx) uint32_t pos = avio_rb32(pb); uint32_t asize = avio_rb32(pb); uint32_t vsize = avio_rb32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_skip(pb, 8); av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME); av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME); -- 2.14.1 ++++++ enable_decoders ++++++ --- /var/tmp/diff_new_pack.P8F3ZP/_old 2017-09-07 22:12:42.283283441 +0200 +++ /var/tmp/diff_new_pack.P8F3ZP/_new 2017-09-07 22:12:42.287282877 +0200 @@ -23,12 +23,15 @@ libvpx_vp8 libvpx_vp9 mjpeg # mjpegtools -#mpeg1video # libav -#mpeg2video # libav -#mpeg4 # libav -mp1 +#mpeg1video +#mpeg2video +#mpeg4 +mp1 # twolame/lame +mp1float # twolame/lame mp2 # twolame +mp2float # twolame mp3 # lame +mp3float # lame opus # libopus pam # trivial pbm # trivial ++++++ enable_encoders ++++++ --- /var/tmp/diff_new_pack.P8F3ZP/_old 2017-09-07 22:12:42.311279495 +0200 +++ /var/tmp/diff_new_pack.P8F3ZP/_new 2017-09-07 22:12:42.315278931 +0200 @@ -9,20 +9,21 @@ huffyuv # trivial+zlib jpegls libgsm +libmp3lame libopenjpeg libopus libschroedinger libspeex libtheora +libtwolame libvorbis libvpx_vp8 libvpx_vp9 libwebp libwebp_anim -mjpeg -mp1 +mjpeg # mjpegtools mp2 # twolame -mp3 # lame +mp2fixed # twolame pam pbm pcm_alaw