*** This bug is a security vulnerability ***
Public security bug reported:
FFmpeg 2.8.9 fixing a number of crashes and other potentially security
relevant issues was released.
>From the upstream Changelog:
version 2.8.9
- avcodec/flacdec: Fix undefined shift in decode_subframe()
- avcodec/get_bits: Fix get_sbits_long(0)
- avformat/ffmdec: Check media type for chunks
- avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed()
- avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c
- avformat/oggparsespeex: Check frames_per_packet and packet_size
- avformat/utils: Check start/end before computing duration in
update_stream_timings()
- avcodec/flac_parser: Update nb_headers_buffered
- avformat/idroqdec: Check chunk_size for being too large
- filmstripdec: correctly check image dimensions
- mss2: only use error correction for matching block counts
- softfloat: decrease MIN_EXP to cover full float range
- libopusdec: default to stereo for invalid number of channels
- sbgdec: prevent NULL pointer access
- smacker: limit recursion depth of smacker_decode_bigtree
- mxfdec: fix NULL pointer dereference in mxf_read_packet_old
- libschroedingerdec: fix leaking of framewithpts
- libschroedingerdec: don't produce empty frames
- softfloat: handle -INT_MAX correctly
- pnmdec: make sure v is capped by maxval
- smvjpegdec: make sure cur_frame is not negative
- icodec: correctly check avio_read return value
- icodec: fix leaking pkt on error
- dvbsubdec: fix division by zero in compute_default_clut
- proresdec_lgpl: explicitly check coff[3] against slice_data_size
- escape124: reject codebook size 0
- mpegts: prevent division by zero
- matroskadec: fix NULL pointer dereference in webm_dash_manifest_read_header
- mpegaudio_parser: don't return AVERROR_PATCHWELCOME
- mxfdec: fix NULL pointer dereference
- diracdec: check return code of get_buffer_with_edge
- ppc: pixblockdsp: do unaligned block accesses correctly again
- mpeg12dec: unref discarded picture from extradata
- cavsdec: unref frame before referencing again
- avformat: prevent triggering request_probe assert in ff_read_packet
- avformat/mpeg: Adjust vid probe threshold to correct mis-detection
- avcodec/rv40: Test remaining space in loop of get_dimension()
- avcodec/ituh263dec: Avoid spending a long time in slice sync
- avcodec/movtextdec: Add error message for tsmb_size check
- avcodec/movtextdec: Fix tsmb_size check==0 check
- avcodec/movtextdec: Fix potential integer overflow
- avcodec/sunrast: Fix input buffer pointer check
- avcodec/tscc: Check side data size before use
- avcodec/rawdec: Check side data size before use
- avcodec/msvideo1: Check side data size before use
- avcodec/qpeg: Check side data size before use
- avcodec/qtrle: Check side data size before use
- avcodec/msrle: Check side data size before use
- avcodec/kmvc: Check side data size before use
- avcodec/idcinvideo: Check side data size before use
- avcodec/cinepak: Check side data size before use
- avcodec/8bps: Check side data size before use
- avcodec/dvdsubdec: Fix off by 1 error
- avcodec/dvdsubdec: Fix buf_size check
- vp9: change order of operations in adapt_prob().
- avcodec/interplayvideo: Check side data size before use
- avformat/mxfdec: Check size to avoid integer overflow in
mxf_read_utf16_string()
- avcodec/mpegvideo_enc: Clear mmx state in ff_mpv_reallocate_putbitbuffer()
- avcodec/utils: Clear MMX state before returning from
avcodec_default_execute*()
- cmdutils: fix typos
- lavfi: fix typos
- lavc: fix typos
- tools: fix grammar error
- avutil/mips/generic_macros_msa: rename macro variable which causes segfault
for mips r6
- videodsp: fix 1-byte overread in top/bottom READ_NUM_BYTES iterations.
- avformat/avidec: Check nb_streams in read_gab2_sub()
- avformat/avidec: Remove ancient assert
- lavc/movtextdec.c: Avoid infinite loop on invalid data.
- avcodec/ansi: Check dimensions
- avcodec/cavsdsp: use av_clip_uint8() for idct
** Affects: ffmpeg (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1647226
Title:
FFmpeg security fixes December 2016
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1647226/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
