*** This bug is a security vulnerability *** Public security bug reported:
FFmpeg 2.8.9 fixing a number of crashes and other potentially security relevant issues was released. >From the upstream Changelog: version 2.8.9 - avcodec/flacdec: Fix undefined shift in decode_subframe() - avcodec/get_bits: Fix get_sbits_long(0) - avformat/ffmdec: Check media type for chunks - avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed() - avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c - avformat/oggparsespeex: Check frames_per_packet and packet_size - avformat/utils: Check start/end before computing duration in update_stream_timings() - avcodec/flac_parser: Update nb_headers_buffered - avformat/idroqdec: Check chunk_size for being too large - filmstripdec: correctly check image dimensions - mss2: only use error correction for matching block counts - softfloat: decrease MIN_EXP to cover full float range - libopusdec: default to stereo for invalid number of channels - sbgdec: prevent NULL pointer access - smacker: limit recursion depth of smacker_decode_bigtree - mxfdec: fix NULL pointer dereference in mxf_read_packet_old - libschroedingerdec: fix leaking of framewithpts - libschroedingerdec: don't produce empty frames - softfloat: handle -INT_MAX correctly - pnmdec: make sure v is capped by maxval - smvjpegdec: make sure cur_frame is not negative - icodec: correctly check avio_read return value - icodec: fix leaking pkt on error - dvbsubdec: fix division by zero in compute_default_clut - proresdec_lgpl: explicitly check coff[3] against slice_data_size - escape124: reject codebook size 0 - mpegts: prevent division by zero - matroskadec: fix NULL pointer dereference in webm_dash_manifest_read_header - mpegaudio_parser: don't return AVERROR_PATCHWELCOME - mxfdec: fix NULL pointer dereference - diracdec: check return code of get_buffer_with_edge - ppc: pixblockdsp: do unaligned block accesses correctly again - mpeg12dec: unref discarded picture from extradata - cavsdec: unref frame before referencing again - avformat: prevent triggering request_probe assert in ff_read_packet - avformat/mpeg: Adjust vid probe threshold to correct mis-detection - avcodec/rv40: Test remaining space in loop of get_dimension() - avcodec/ituh263dec: Avoid spending a long time in slice sync - avcodec/movtextdec: Add error message for tsmb_size check - avcodec/movtextdec: Fix tsmb_size check==0 check - avcodec/movtextdec: Fix potential integer overflow - avcodec/sunrast: Fix input buffer pointer check - avcodec/tscc: Check side data size before use - avcodec/rawdec: Check side data size before use - avcodec/msvideo1: Check side data size before use - avcodec/qpeg: Check side data size before use - avcodec/qtrle: Check side data size before use - avcodec/msrle: Check side data size before use - avcodec/kmvc: Check side data size before use - avcodec/idcinvideo: Check side data size before use - avcodec/cinepak: Check side data size before use - avcodec/8bps: Check side data size before use - avcodec/dvdsubdec: Fix off by 1 error - avcodec/dvdsubdec: Fix buf_size check - vp9: change order of operations in adapt_prob(). - avcodec/interplayvideo: Check side data size before use - avformat/mxfdec: Check size to avoid integer overflow in mxf_read_utf16_string() - avcodec/mpegvideo_enc: Clear mmx state in ff_mpv_reallocate_putbitbuffer() - avcodec/utils: Clear MMX state before returning from avcodec_default_execute*() - cmdutils: fix typos - lavfi: fix typos - lavc: fix typos - tools: fix grammar error - avutil/mips/generic_macros_msa: rename macro variable which causes segfault for mips r6 - videodsp: fix 1-byte overread in top/bottom READ_NUM_BYTES iterations. - avformat/avidec: Check nb_streams in read_gab2_sub() - avformat/avidec: Remove ancient assert - lavc/movtextdec.c: Avoid infinite loop on invalid data. - avcodec/ansi: Check dimensions - avcodec/cavsdsp: use av_clip_uint8() for idct ** Affects: ffmpeg (Ubuntu) Importance: Undecided Status: New ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1647226 Title: FFmpeg security fixes December 2016 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1647226/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs