*** This bug is a security vulnerability ***
Public security bug reported:
FFmpeg 2.5.8 fixing a number of crashes and other potentially security relevant
issues was released.
>From the upstream Changelog:
version 2.5.8
- snow: remove an obsolete av_assert2
- huffyuvdec: validate image size
- vc1dec: use get_bits_long and limit the read bits to 32
- mpegaudiodec: copy AVFloatDSPContext from first context to all contexts
- libshine: fix support for shine 3.0
- avidec: check for valid bit_rate range
- avformat/nut: support WavPack
- avcodec/diracdec: Check slices malloc and propagate error code
- avcodec/vp8: Check buffer size in vp8_decode_frame_header()
- avcodec/vp8: Fix null pointer dereference in ff_vp8_decode_free()
- avcodec/diracdec: Check for hpel_base allocation failure
- avcodec/rv34: Clear pointers in ff_rv34_decode_init_thread_copy()
- avfilter/af_aresample: Check ff_all_* for allocation failures
- avcodec/pthread_frame: clear priv_data, avoid stale pointer in error case
- swscale/utils: Clear pix buffers
- avutil/fifo: Fix the case where func() returns less bytes than requested in
av_fifo_generic_write()
- avformat/mov: Fix deallocation when MOVStreamContext failed to allocate
- ffmpeg: Fix crash with ost->last_frame allocation failure
- ffmpeg: Fix cleanup with ost = NULL
- avcodec/pthread_frame: check avctx on deallocation
- avcodec/sanm: Reset sizes in destroy_buffers()
- avcodec/alac: Clear pointers in allocate_buffers()
- bytestream2: set the reader to the end when reading more than available
- avcodec/utils: use a minimum 32pixel width in avcodec_align_dimensions2()
for H.264
- avcodec/mpegvideo: Clear pointers in ff_mpv_common_init()
- oggparsedirac: check return value of init_get_bits
- wmalosslessdec: reset frame->nb_samples on packet loss
- wmalosslessdec: avoid reading 0 bits with get_bits
- avcodec/rawenc: Use ff_alloc_packet() instead of ff_alloc_packet2()
- avcodec/aacsbr: Assert that bs_num_env is positive
- avcodec/aacsbr: check that the element type matches before applying SBR
- avcodec/h264_slice: Use w/h from the AVFrame instead of mb_w/h
- vp9/update_prob: prevent out of bounds table read
- avfilter/vf_transpose: Fix rounding error
- avcodec/pngdec: Check values before updating context in decode_fctl_chunk()
- avcodec/pngdec: Require a IHDR chunk before fctl
- avcodec/pngdec: Only allow one IHDR chunk
- wmavoice: limit wmavoice_decode_packet return value to packet size
- swscale/swscale_unscaled: Fix rounding difference with RGBA output between
little and big endian
- ffmpeg: Do not use the data/size of a bitstream filter after failure
- swscale/x86/rgb2rgb_template: fix signedness of v in
shuffle_bytes_2103_{mmx,mmxext}
- swscale/x86/rgb2rgb_template: add missing xmm clobbers
- vda: unlock the pixel buffer base address.
- swscale/rgb2rgb_template: Fix signedness of v in shuffle_bytes_2103_c()
- swscale/rgb2rgb_template: Implement shuffle_bytes_0321_c and fix
shuffle_bytes_2103_c on BE
- swscale/rgb2rgb_template: Disable shuffle_bytes_2103_c on big endian
- swr: Remember previously set int_sample_format from user
- matroskadec: check audio sample rate
- matroskadec: validate audio channels and bitdepth
- avcodec/dpxenc: implement write16/32 as functions
- postproc: fix unaligned access
- ffmpeg: Free last_frame instead of just unref
- avio: fix potential crashes when combining ffio_ensure_seekback + crc
- h264: er: Copy from the previous reference only if compatible
- sonic: set avctx->channels in sonic_decode_init
- vp8: change mv_{min,max}.{x,y} type to int
- vp9: change type of tile_size from unsigned to int64_t
- arm: only enable setend on ARMv6
- libopenjpegdec: check existence of image component data
- mov: abort on EOF in ff_mov_read_chan
- ffmpeg_opt: Check for localtime() failure
- avformat: Fix bug in parse_rps for HEVC.
- takdec: ensure chan2 is a valid channel index
- avcodec/h264_slice: Use AVFrame diemensions for grayscale handling
- avdevice/lavfi: do not rescale AV_NOPTS_VALUE in lavfi_read_packet()
- libavutil/channel_layout: Correctly return layout when channel specification
ends with a trailing 'c'.
- avcodec/jpeg2000dec: Check that coords match before applying ICT
- avformat/ffmdec: Check ffio_set_buf_size() return value
- avcodec/adpcm: Check for overreads
- avcodec/alsdec: Check for overread
- avcodec/atrac3plusdec: consume only as many bytes as available
- libavutil/softfloat: Fix av_normalize1_sf bias.
- swresample/swresample: Cleanup on init failure.
- Revert "avformat/rtpenc: check av_packet_get_side_data() return, fix null ptr
dereference"
- avformat/mxfenc: Accept MXF D-10 with 49.999840 Mbit/sec
- swresample/dither: check memory allocation
- libopenjpegenc: add NULL check for img before accessing it
- swresample: Check the return value of resampler->init()
- h264: Make sure reinit failures mark the context as not initialized
- ffmpeg_opt: Set the video VBV parameters only for the video stream from
-target
- avcodec/bitstream: Assert that there is enough space left in
avpriv_copy_bits()
- avcodec/put_bits: Assert that there is enough space left in skip_put_bytes()
- avcodec/mpegvideo_enc: Update the buffer size as more slices are merged
- avcodec/put_bits: Update size_in_bits in set_put_bits_buffer_size()
- avformat/wavdec: Increase dts packet threshold to fix more misdetections
- avformat/wavdec: Increase probe_packets limit
- avformat/swfdec: Do not error out on pixel format changes
- avfilter/x86/vf_hqdn3d: Fix register types
- avcodec/mjpegenc_common: Use ff_mpv_reallocate_putbitbuffer()
- avcodec/mpegvideo: Factor ff_mpv_reallocate_putbitbuffer() out
- avformat/mov: Mark avio context of decompressed atoms as seekable
- avcodec/hevc_ps: Only discard overread VPS if a previous is available
- avcodec/x86/h264_weight: handle weight1=128
- avcodec/exr: fix crash caused by merge
** Affects: ffmpeg (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1480311
Title:
FFmpeg security fixes July 2015
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1480311/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
