*** This bug is a security vulnerability *** Public security bug reported:
FFmpeg 2.5.8 fixing a number of crashes and other potentially security relevant issues was released. >From the upstream Changelog: version 2.5.8 - snow: remove an obsolete av_assert2 - huffyuvdec: validate image size - vc1dec: use get_bits_long and limit the read bits to 32 - mpegaudiodec: copy AVFloatDSPContext from first context to all contexts - libshine: fix support for shine 3.0 - avidec: check for valid bit_rate range - avformat/nut: support WavPack - avcodec/diracdec: Check slices malloc and propagate error code - avcodec/vp8: Check buffer size in vp8_decode_frame_header() - avcodec/vp8: Fix null pointer dereference in ff_vp8_decode_free() - avcodec/diracdec: Check for hpel_base allocation failure - avcodec/rv34: Clear pointers in ff_rv34_decode_init_thread_copy() - avfilter/af_aresample: Check ff_all_* for allocation failures - avcodec/pthread_frame: clear priv_data, avoid stale pointer in error case - swscale/utils: Clear pix buffers - avutil/fifo: Fix the case where func() returns less bytes than requested in av_fifo_generic_write() - avformat/mov: Fix deallocation when MOVStreamContext failed to allocate - ffmpeg: Fix crash with ost->last_frame allocation failure - ffmpeg: Fix cleanup with ost = NULL - avcodec/pthread_frame: check avctx on deallocation - avcodec/sanm: Reset sizes in destroy_buffers() - avcodec/alac: Clear pointers in allocate_buffers() - bytestream2: set the reader to the end when reading more than available - avcodec/utils: use a minimum 32pixel width in avcodec_align_dimensions2() for H.264 - avcodec/mpegvideo: Clear pointers in ff_mpv_common_init() - oggparsedirac: check return value of init_get_bits - wmalosslessdec: reset frame->nb_samples on packet loss - wmalosslessdec: avoid reading 0 bits with get_bits - avcodec/rawenc: Use ff_alloc_packet() instead of ff_alloc_packet2() - avcodec/aacsbr: Assert that bs_num_env is positive - avcodec/aacsbr: check that the element type matches before applying SBR - avcodec/h264_slice: Use w/h from the AVFrame instead of mb_w/h - vp9/update_prob: prevent out of bounds table read - avfilter/vf_transpose: Fix rounding error - avcodec/pngdec: Check values before updating context in decode_fctl_chunk() - avcodec/pngdec: Require a IHDR chunk before fctl - avcodec/pngdec: Only allow one IHDR chunk - wmavoice: limit wmavoice_decode_packet return value to packet size - swscale/swscale_unscaled: Fix rounding difference with RGBA output between little and big endian - ffmpeg: Do not use the data/size of a bitstream filter after failure - swscale/x86/rgb2rgb_template: fix signedness of v in shuffle_bytes_2103_{mmx,mmxext} - swscale/x86/rgb2rgb_template: add missing xmm clobbers - vda: unlock the pixel buffer base address. - swscale/rgb2rgb_template: Fix signedness of v in shuffle_bytes_2103_c() - swscale/rgb2rgb_template: Implement shuffle_bytes_0321_c and fix shuffle_bytes_2103_c on BE - swscale/rgb2rgb_template: Disable shuffle_bytes_2103_c on big endian - swr: Remember previously set int_sample_format from user - matroskadec: check audio sample rate - matroskadec: validate audio channels and bitdepth - avcodec/dpxenc: implement write16/32 as functions - postproc: fix unaligned access - ffmpeg: Free last_frame instead of just unref - avio: fix potential crashes when combining ffio_ensure_seekback + crc - h264: er: Copy from the previous reference only if compatible - sonic: set avctx->channels in sonic_decode_init - vp8: change mv_{min,max}.{x,y} type to int - vp9: change type of tile_size from unsigned to int64_t - arm: only enable setend on ARMv6 - libopenjpegdec: check existence of image component data - mov: abort on EOF in ff_mov_read_chan - ffmpeg_opt: Check for localtime() failure - avformat: Fix bug in parse_rps for HEVC. - takdec: ensure chan2 is a valid channel index - avcodec/h264_slice: Use AVFrame diemensions for grayscale handling - avdevice/lavfi: do not rescale AV_NOPTS_VALUE in lavfi_read_packet() - libavutil/channel_layout: Correctly return layout when channel specification ends with a trailing 'c'. - avcodec/jpeg2000dec: Check that coords match before applying ICT - avformat/ffmdec: Check ffio_set_buf_size() return value - avcodec/adpcm: Check for overreads - avcodec/alsdec: Check for overread - avcodec/atrac3plusdec: consume only as many bytes as available - libavutil/softfloat: Fix av_normalize1_sf bias. - swresample/swresample: Cleanup on init failure. - Revert "avformat/rtpenc: check av_packet_get_side_data() return, fix null ptr dereference" - avformat/mxfenc: Accept MXF D-10 with 49.999840 Mbit/sec - swresample/dither: check memory allocation - libopenjpegenc: add NULL check for img before accessing it - swresample: Check the return value of resampler->init() - h264: Make sure reinit failures mark the context as not initialized - ffmpeg_opt: Set the video VBV parameters only for the video stream from -target - avcodec/bitstream: Assert that there is enough space left in avpriv_copy_bits() - avcodec/put_bits: Assert that there is enough space left in skip_put_bytes() - avcodec/mpegvideo_enc: Update the buffer size as more slices are merged - avcodec/put_bits: Update size_in_bits in set_put_bits_buffer_size() - avformat/wavdec: Increase dts packet threshold to fix more misdetections - avformat/wavdec: Increase probe_packets limit - avformat/swfdec: Do not error out on pixel format changes - avfilter/x86/vf_hqdn3d: Fix register types - avcodec/mjpegenc_common: Use ff_mpv_reallocate_putbitbuffer() - avcodec/mpegvideo: Factor ff_mpv_reallocate_putbitbuffer() out - avformat/mov: Mark avio context of decompressed atoms as seekable - avcodec/hevc_ps: Only discard overread VPS if a previous is available - avcodec/x86/h264_weight: handle weight1=128 - avcodec/exr: fix crash caused by merge ** Affects: ffmpeg (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1480311 Title: FFmpeg security fixes July 2015 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1480311/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs