[Bug 1648265] [NEW] FFmpeg security fixes December 2016 II

Andreas Cadhalpun Wed, 07 Dec 2016 16:47:03 -0800

*** This bug is a security vulnerability ***

Public security bug reported:


FFmpeg 3.0.5 fixing a number of crashes and other potentially security
relevant issues was released.

This includes fixes for CVE-2016-5199 (3.0.4) and
CVE-2016-6164/CVE-2016-6881 (3.0.3).

>From the upstream Changelog:

version 3.0.5:
- configure: check for strtoull on msvc
- http: move chunk handling from http_read_stream() to http_buf_read().
- http: make length/offset-related variables unsigned.
- ffserver: Check chunk size
- Avoid using the term "file" and prefer "url" in some docs and comments
- avformat/rtmppkt: Check for packet size mismatches
- zmqsend: Initialize ret to 0
- avcodec/rawdec: check for side data before checking its size
- avcodec/flacdec: Fix undefined shift in decode_subframe()
- avcodec/get_bits: Fix get_sbits_long(0)
- avformat/ffmdec: Check media type for chunks
- avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed()
- avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c
- avformat/oggparsespeex: Check frames_per_packet and packet_size
- avformat/utils: Check start/end before computing duration in 
update_stream_timings()
- avcodec/flac_parser: Update nb_headers_buffered
- avformat/idroqdec: Check chunk_size for being too large
- avformat/mpeg: Adjust vid probe threshold to correct mis-detection
- avcodec/rv40: Test remaining space in loop of get_dimension()
- avcodec/ituh263dec: Avoid spending a long time in slice sync
- avcodec/movtextdec: Add error message for tsmb_size check
- avcodec/movtextdec: Fix tsmb_size check==0 check
- avcodec/movtextdec: Fix potential integer overflow
- avcodec/sunrast: Fix input buffer pointer check
- avcodec/tscc:  Check side data size before use
- avcodec/rawdec: Check side data size before use
- avcodec/msvideo1: Check side data size before use
- avcodec/qpeg:  Check side data size before use
- avcodec/qtrle:  Check side data size before use
- avcodec/msrle:  Check side data size before use
- avcodec/kmvc:  Check side data size before use
- avcodec/idcinvideo: Check side data size before use
- avcodec/cinepak: Check side data size before use
- avcodec/8bps: Check side data size before use
- avcodec/dvdsubdec: Fix off by 1 error
- avcodec/dvdsubdec: Fix buf_size check
- vp9: change order of operations in adapt_prob().
- avcodec/interplayvideo: Check side data size before use
- avformat/mxfdec: Check size to avoid integer overflow in 
mxf_read_utf16_string()
- avcodec/mpegvideo_enc: Clear mmx state in ff_mpv_reallocate_putbitbuffer()
- avcodec/utils: Clear MMX state before returning from 
avcodec_default_execute*()
- avformat/icodec: Fix crash probing fuzzed file
- dcstr: fix division by zero
- rsd: limit number of channels
- mss2: only use error correction for matching block counts
- softfloat: decrease MIN_EXP to cover full float range
- libopusdec: default to stereo for invalid number of channels
- pgssubdec: only set w/h/linesize when allocating data
- sbgdec: prevent NULL pointer access
- smacker: limit recursion depth of smacker_decode_bigtree
- mxfdec: fix NULL pointer dereference in mxf_read_packet_old
- libschroedingerdec: fix leaking of framewithpts
- libschroedingerdec: don't produce empty frames
- softfloat: handle -INT_MAX correctly
- filmstripdec: correctly check image dimensions
- pnmdec: make sure v is capped by maxval
- smvjpegdec: make sure cur_frame is not negative
- icodec: correctly check avio_read return value
- dvbsubdec: fix division by zero in compute_default_clut
- proresdec_lgpl: explicitly check coff[3] against slice_data_size
- escape124: reject codebook size 0
- icodec: add ico_read_close to fix leaking ico->images
- icodec: fix leaking pkt on error
- mpegts: prevent division by zero
- matroskadec: fix NULL pointer dereference in webm_dash_manifest_read_header
- mpegaudio_parser: don't return AVERROR_PATCHWELCOME
- mxfdec: fix NULL pointer dereference
- lzf: update pointer p after realloc
- diracdec: check return code of get_buffer_with_edge
- ppc: pixblockdsp: do unaligned block accesses correctly again
- interplayacm: increase bitstream buffer size by AV_INPUT_BUFFER_PADDING_SIZE
- interplayacm: validate number of channels
- interplayacm: check for too large b
- mpeg12dec: unref discarded picture from extradata
- cavsdec: unref frame before referencing again
- avformat: prevent triggering request_probe assert in ff_read_packet
- avcodec/avpacket: fix leak on realloc in av_packet_add_side_data()


version 3.0.4:
- libopenjpegenc: fix out-of-bounds reads when filling the edges
- libopenjpegenc: stop reusing image data buffer for openjpeg 2
- configure: fix detection of libopenjpeg
- cmdutils: fix typos
- lavfi: fix typos
- lavc: fix typos
- tools: fix grammar error
- ffmpeg: remove unused and errorneous AVFrame timestamp check
- Support for MIPS cpu P6600
- avutil/mips/generic_macros_msa: rename macro variable which causes segfault 
for mips r
- avformat/avidec: Check nb_streams in read_gab2_sub()
- avformat/avidec: Remove ancient assert
- avformat/avidec: Fix memleak with dv in avi
- lavc/movtextdec.c: Avoid infinite loop on invalid data.
- avcodec/ansi: Check dimensions
- avcodec/cavsdsp: use av_clip_uint8() for idct
- avformat/movenc: Check packet in mov_write_single_packet() too
- avformat/movenc: Factor check_pkt() out
- avformat/utils: fix timebase error in avformat_seek_file()
- avcodec/g726: Add missing ADDB output mask
- avcodec/avpacket: clear side_data_elems
- avformat/movenc: Check first DTS similar to dts difference
- avcodec/ccaption_dec: Use simple array instead of AVBuffer
- avformat/mov: Fix potential integer overflow in mov_read_keys
- swscale/swscale_unscaled: Try to fix Rgb16ToPlanarRgb16Wrapper() with slices
- swscale/swscale_unscaled: Fix packed_16bpc_bswap() with slices
- lavf/utils: Avoid an overflow for huge negative durations.

version 3.0.3:
- avformat/avidec: Fix infinite loop in avi_read_nikon()
- avcodec/aacenc: Tighter input checks
- avformat/wtvdec: Check pointer before use
- libavcodec/wmalosslessdec: Check the remaining bits
- avcodec/diracdec: Check numx/y
- avcodec/cfhd: Increase minimum band dimension to 3
- avcodec/indeo2: check ctab
- avformat/swfdec: Fix inflate() error code check
- avcodec/rawdec: Fix bits_per_coded_sample checks
- lavc/mjpegdec: Do not skip reading quantization tables.
- cmdutils: fix implicit declaration of SetDllDirectory function
- cmdutils: check for SetDllDirectory() availability
- avcodec/h264: Put context_count check back
- cmdutils: remove the current working directory from the DLL search path on 
win32
- avcodec/raw: Fix decoding of ilacetest.mov
- avcodec/ffv1enc: Fix assertion failure with non zero bits per sample
- avformat/oggdec: Fix integer overflow with invalid pts
- ffplay: Fix invalid array index
- avcodec/vp9_parser: Check the input frame sizes for being consistent
- libavformat/rtpdec_asf: zero initialize the AVIOContext struct
- libavutil/opt: Small bugfix in example.
- libx264: Increase x264 opts character limit to 4096
- avformat/mov: Check sample size
- avformat/format: Fix registering a format more than once and related races
- avformat/flacdec: Fix seeking close to EOF
- avcodec/flac_parser: Raise threshold for detecting invalid data
- avformat/flvdec: Accept last size if its off by 1
- tests/api/api-codec-param-test: Do not directly access caps_internal
- avcodec: Add avpriv_codec_get_cap_skip_frame_fill_param()
- avfilter/vf_telecine: Make frame writable before writing into it
- avformat/mpegts: adjust probe score for low check_count
- avcodec/mpc8: Correct end truncation
- avformat/mp3dec: Increase probe score slightly when the whole data from begin 
to end is mp3
- avcodec/cfhd: Set dimensions unconditionally
- avcodec/mpegvideo: Do not clear the parse context during init
- avcodec/h264: Fix off by 1 context count
- avcodec/alsdec: Check r to prevent out of array read
- avcodec/alsdec: fix max bits in ltp prefix code
- avcodec/utils: check skip_samples signedness
- avformat/mpegts: Do not trust BSSD descriptor, it is sometimes not an S302M 
stream
- avcodec/bmp_parser: Check fsize
- avcodec/bmp_parser: reset state
- avcodec/bmp_parser: Fix remaining size
- avcodec/bmp_parser: Fix frame_start_found in cross frame cases
- avfilter/af_amix: do not fail if there are no samples in output_frame()
- avformat/allformats: Making av_register_all() thread-safe.
- librtmp: Avoid an infiniloop setting connection arguments
- avformat/oggparsevp8: fix pts calculation on pages ending with an invisible 
frame
- Revert "configure: Enable GCC vectorization on ≥4.9 on x86"
- avcodec/libopenjpegenc: Set numresolutions by default to a value that is not 
too large
- ffplay: Fix usage of private lavfi API
- tests/checkasm/checkasm: Disable checkasm_check_pixblockdsp for ppc64be
- avcodec/mpegvideo: Deallocate last/next picture earlier
- avcodec/bmp_parser: Fix state
- avformat/oggparseopus: Fix Undefined behavior in oggparseopus.c and 
libavformat/utils.c
- avformat/utils: avoid overflow in compute_chapters_end()  with huge durations
- avformat/utils: avoid overflow in update_stream_timings() with huge durations
- doc/developer.texi: Add a code of conduct
- ffserver: fixed deallocation bug in build_feed_streams
- avcodec/diracdec: Fix potential integer overflow
- avformat/avidec: Detect index with too short entries
- avformat/utils: Check negative bps before shifting in ff_get_pcm_codec_id()
- avformat/utils: Do not compute the bitrate from duration == 0
- ffmpeg: Check that r_frame_rate is set before attempting to use it
- swresample/resample: Fix division by 0 with tap_count=1
- swresample/rematrix: Use clipping s16 rematrixing if overflows are possible
- swresample/rematrix: Use error diffusion to avoid error in the DC component 
of the matrix
- hevc: Fix memory leak related to a53_caption data
- libavformat/oggdec: Free stream private when header parsing fails.
- avformat/utils: Check bps before using it in a shift in ff_get_pcm_codec_id()
- avformat/oggparseopus: Check that granule pos is within the supported range
- avcodec/mjpegdec: Do not try to detect last scan but apply idct after all 
scans for progressive jpeg
- avformat/options_table: Add missing identifier for very strict compliance
- avformat/ffmdec: Check pix_fmt
- doc/general: update supported DCA extensions
- avcodec/rscc: check input buffer size for deflate mode
- avcodec/dca: fix sync word search error condition
- lavf/mpegts: Return small probe score for very short transport streams.

** Affects: ffmpeg (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Private Security to Public Security

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-5199

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-6164

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-6881

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1648265

Title:
  FFmpeg security fixes December 2016 II

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1648265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1648265] [NEW] FFmpeg security fixes December 2016 II

Reply via email to