Your message dated Sat, 27 Dec 2008 22:46:58 +0100
with message-id <87r63txpd9....@faui44a.informatik.uni-erlangen.de>
and subject line [gmane.comp.video.ffmpeg.devel] [PATCH] fix crash in vp3.c
has caused the Debian Bug report #509616,
regarding libavcodec51: CVE-2008-4610 possible null ptr derefence in vp3.c
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
509616: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=509616
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libavcodec51
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libavcodec51.
CVE-2008-4610[0]:
| MPlayer allows remote attackers to cause a denial of service
| (application crash) via (1) a malformed AAC file, as demonstrated by
| lol-vlc.aac; or (2) a malformed Ogg Media (OGM) file, as demonstrated
| by lol-ffplay.ogm, different vectors than CVE-2007-6718.
It turned out that the lol-ffplay.ogm crashing mplayer is
not a bug in mplayer but a problem in ffmpeg itself. I
tracked this down to libavcodec/vp3.c, table->table being
NULL causes the GET_VLC macro in bitstream.h to dereference
a NULL ptr which then causes mplayer to crash.
Attached is a patch to fix this, I am not sure if that is
the correct way to fix this as I have no insight on the code
functionality itself but at least it prevents mplayer from
crashing. So you might want to check back with upstream.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4610
http://security-tracker.debian.net/tracker/CVE-2008-4610
--
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
--- libavcodec/vp3.c 2008-12-23 21:06:32.000000000 +0100
+++ libavcodec/vp3.c.new 2008-12-23 21:07:22.000000000 +0100
@@ -1165,7 +1165,7 @@
if (fragment->coeff_count > coeff_index)
continue;
- if (!eob_run) {
+ if (!eob_run && table->table) {
/* decode a VLC into a token */
token = get_vlc2(gb, table->table, 5, 3);
debug_vlc(" token = %2d, ", token);
pgpHWU0TF5zNJ.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Hi Nico,
I'm sorry but I think I'll have to reject your bug report. Please see
the full thread at:
<http://permalink.gmane.org/gmane.comp.video.ffmpeg.devel/79298>
I have to admit that I don't really understand as well what the code
here does, but I agree to michael that the approach to this patch is
wrong. FFmpeg cannot be made robust to all kind of wrong data. There
will always be some ways how to abuse a library.
In any case, I tried to reproduce the crash with the 'ffmpeg' command
but wasn't able to generate a segfault. I therefore conclude that the
demuxer in avformat does not inhibit the same bug as in mplayer.
If one could provide an example file that crashes the 'ffmpeg' commmand,
then we could reinvestigate this issue.
Anyway, thanks for your report!
--- Begin Message ---
On Wed, Dec 24, 2008 at 06:09:57PM +0100, Diego Biurrun wrote:
> Here is a patch from Nico Golde that I found in the Debian bug tracker.
> It fixes the crash I experience on my PPC box with
>
> http://caca.zoy.org/attachment/wiki/zzuf/bugs/lol-ffplay.ogm
this patch is incorrect and insufficient
the first (though this might not be the only) bug is that
the return of read_huffman_tree() is ignored, that is errors are not
passed on to the caller
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Many things microsoft did are stupid, but not doing something just because
microsoft did it is even more stupid. If everything ms did were stupid they
would be bankrupt already.
signature.asc
Description: Digital signature
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-de...@mplayerhq.hu
https://lists.mplayerhq.hu/mailman/listinfo/ffmpeg-devel
--- End Message ---
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
--- End Message ---
