*** This bug is a security vulnerability *** Public security bug reported:
FFmpeg 3.0.5 fixing a number of crashes and other potentially security relevant issues was released. This includes fixes for CVE-2016-5199 (3.0.4) and CVE-2016-6164/CVE-2016-6881 (3.0.3). >From the upstream Changelog: version 3.0.5: - configure: check for strtoull on msvc - http: move chunk handling from http_read_stream() to http_buf_read(). - http: make length/offset-related variables unsigned. - ffserver: Check chunk size - Avoid using the term "file" and prefer "url" in some docs and comments - avformat/rtmppkt: Check for packet size mismatches - zmqsend: Initialize ret to 0 - avcodec/rawdec: check for side data before checking its size - avcodec/flacdec: Fix undefined shift in decode_subframe() - avcodec/get_bits: Fix get_sbits_long(0) - avformat/ffmdec: Check media type for chunks - avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed() - avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c - avformat/oggparsespeex: Check frames_per_packet and packet_size - avformat/utils: Check start/end before computing duration in update_stream_timings() - avcodec/flac_parser: Update nb_headers_buffered - avformat/idroqdec: Check chunk_size for being too large - avformat/mpeg: Adjust vid probe threshold to correct mis-detection - avcodec/rv40: Test remaining space in loop of get_dimension() - avcodec/ituh263dec: Avoid spending a long time in slice sync - avcodec/movtextdec: Add error message for tsmb_size check - avcodec/movtextdec: Fix tsmb_size check==0 check - avcodec/movtextdec: Fix potential integer overflow - avcodec/sunrast: Fix input buffer pointer check - avcodec/tscc: Check side data size before use - avcodec/rawdec: Check side data size before use - avcodec/msvideo1: Check side data size before use - avcodec/qpeg: Check side data size before use - avcodec/qtrle: Check side data size before use - avcodec/msrle: Check side data size before use - avcodec/kmvc: Check side data size before use - avcodec/idcinvideo: Check side data size before use - avcodec/cinepak: Check side data size before use - avcodec/8bps: Check side data size before use - avcodec/dvdsubdec: Fix off by 1 error - avcodec/dvdsubdec: Fix buf_size check - vp9: change order of operations in adapt_prob(). - avcodec/interplayvideo: Check side data size before use - avformat/mxfdec: Check size to avoid integer overflow in mxf_read_utf16_string() - avcodec/mpegvideo_enc: Clear mmx state in ff_mpv_reallocate_putbitbuffer() - avcodec/utils: Clear MMX state before returning from avcodec_default_execute*() - avformat/icodec: Fix crash probing fuzzed file - dcstr: fix division by zero - rsd: limit number of channels - mss2: only use error correction for matching block counts - softfloat: decrease MIN_EXP to cover full float range - libopusdec: default to stereo for invalid number of channels - pgssubdec: only set w/h/linesize when allocating data - sbgdec: prevent NULL pointer access - smacker: limit recursion depth of smacker_decode_bigtree - mxfdec: fix NULL pointer dereference in mxf_read_packet_old - libschroedingerdec: fix leaking of framewithpts - libschroedingerdec: don't produce empty frames - softfloat: handle -INT_MAX correctly - filmstripdec: correctly check image dimensions - pnmdec: make sure v is capped by maxval - smvjpegdec: make sure cur_frame is not negative - icodec: correctly check avio_read return value - dvbsubdec: fix division by zero in compute_default_clut - proresdec_lgpl: explicitly check coff[3] against slice_data_size - escape124: reject codebook size 0 - icodec: add ico_read_close to fix leaking ico->images - icodec: fix leaking pkt on error - mpegts: prevent division by zero - matroskadec: fix NULL pointer dereference in webm_dash_manifest_read_header - mpegaudio_parser: don't return AVERROR_PATCHWELCOME - mxfdec: fix NULL pointer dereference - lzf: update pointer p after realloc - diracdec: check return code of get_buffer_with_edge - ppc: pixblockdsp: do unaligned block accesses correctly again - interplayacm: increase bitstream buffer size by AV_INPUT_BUFFER_PADDING_SIZE - interplayacm: validate number of channels - interplayacm: check for too large b - mpeg12dec: unref discarded picture from extradata - cavsdec: unref frame before referencing again - avformat: prevent triggering request_probe assert in ff_read_packet - avcodec/avpacket: fix leak on realloc in av_packet_add_side_data() version 3.0.4: - libopenjpegenc: fix out-of-bounds reads when filling the edges - libopenjpegenc: stop reusing image data buffer for openjpeg 2 - configure: fix detection of libopenjpeg - cmdutils: fix typos - lavfi: fix typos - lavc: fix typos - tools: fix grammar error - ffmpeg: remove unused and errorneous AVFrame timestamp check - Support for MIPS cpu P6600 - avutil/mips/generic_macros_msa: rename macro variable which causes segfault for mips r - avformat/avidec: Check nb_streams in read_gab2_sub() - avformat/avidec: Remove ancient assert - avformat/avidec: Fix memleak with dv in avi - lavc/movtextdec.c: Avoid infinite loop on invalid data. - avcodec/ansi: Check dimensions - avcodec/cavsdsp: use av_clip_uint8() for idct - avformat/movenc: Check packet in mov_write_single_packet() too - avformat/movenc: Factor check_pkt() out - avformat/utils: fix timebase error in avformat_seek_file() - avcodec/g726: Add missing ADDB output mask - avcodec/avpacket: clear side_data_elems - avformat/movenc: Check first DTS similar to dts difference - avcodec/ccaption_dec: Use simple array instead of AVBuffer - avformat/mov: Fix potential integer overflow in mov_read_keys - swscale/swscale_unscaled: Try to fix Rgb16ToPlanarRgb16Wrapper() with slices - swscale/swscale_unscaled: Fix packed_16bpc_bswap() with slices - lavf/utils: Avoid an overflow for huge negative durations. version 3.0.3: - avformat/avidec: Fix infinite loop in avi_read_nikon() - avcodec/aacenc: Tighter input checks - avformat/wtvdec: Check pointer before use - libavcodec/wmalosslessdec: Check the remaining bits - avcodec/diracdec: Check numx/y - avcodec/cfhd: Increase minimum band dimension to 3 - avcodec/indeo2: check ctab - avformat/swfdec: Fix inflate() error code check - avcodec/rawdec: Fix bits_per_coded_sample checks - lavc/mjpegdec: Do not skip reading quantization tables. - cmdutils: fix implicit declaration of SetDllDirectory function - cmdutils: check for SetDllDirectory() availability - avcodec/h264: Put context_count check back - cmdutils: remove the current working directory from the DLL search path on win32 - avcodec/raw: Fix decoding of ilacetest.mov - avcodec/ffv1enc: Fix assertion failure with non zero bits per sample - avformat/oggdec: Fix integer overflow with invalid pts - ffplay: Fix invalid array index - avcodec/vp9_parser: Check the input frame sizes for being consistent - libavformat/rtpdec_asf: zero initialize the AVIOContext struct - libavutil/opt: Small bugfix in example. - libx264: Increase x264 opts character limit to 4096 - avformat/mov: Check sample size - avformat/format: Fix registering a format more than once and related races - avformat/flacdec: Fix seeking close to EOF - avcodec/flac_parser: Raise threshold for detecting invalid data - avformat/flvdec: Accept last size if its off by 1 - tests/api/api-codec-param-test: Do not directly access caps_internal - avcodec: Add avpriv_codec_get_cap_skip_frame_fill_param() - avfilter/vf_telecine: Make frame writable before writing into it - avformat/mpegts: adjust probe score for low check_count - avcodec/mpc8: Correct end truncation - avformat/mp3dec: Increase probe score slightly when the whole data from begin to end is mp3 - avcodec/cfhd: Set dimensions unconditionally - avcodec/mpegvideo: Do not clear the parse context during init - avcodec/h264: Fix off by 1 context count - avcodec/alsdec: Check r to prevent out of array read - avcodec/alsdec: fix max bits in ltp prefix code - avcodec/utils: check skip_samples signedness - avformat/mpegts: Do not trust BSSD descriptor, it is sometimes not an S302M stream - avcodec/bmp_parser: Check fsize - avcodec/bmp_parser: reset state - avcodec/bmp_parser: Fix remaining size - avcodec/bmp_parser: Fix frame_start_found in cross frame cases - avfilter/af_amix: do not fail if there are no samples in output_frame() - avformat/allformats: Making av_register_all() thread-safe. - librtmp: Avoid an infiniloop setting connection arguments - avformat/oggparsevp8: fix pts calculation on pages ending with an invisible frame - Revert "configure: Enable GCC vectorization on ≥4.9 on x86" - avcodec/libopenjpegenc: Set numresolutions by default to a value that is not too large - ffplay: Fix usage of private lavfi API - tests/checkasm/checkasm: Disable checkasm_check_pixblockdsp for ppc64be - avcodec/mpegvideo: Deallocate last/next picture earlier - avcodec/bmp_parser: Fix state - avformat/oggparseopus: Fix Undefined behavior in oggparseopus.c and libavformat/utils.c - avformat/utils: avoid overflow in compute_chapters_end() with huge durations - avformat/utils: avoid overflow in update_stream_timings() with huge durations - doc/developer.texi: Add a code of conduct - ffserver: fixed deallocation bug in build_feed_streams - avcodec/diracdec: Fix potential integer overflow - avformat/avidec: Detect index with too short entries - avformat/utils: Check negative bps before shifting in ff_get_pcm_codec_id() - avformat/utils: Do not compute the bitrate from duration == 0 - ffmpeg: Check that r_frame_rate is set before attempting to use it - swresample/resample: Fix division by 0 with tap_count=1 - swresample/rematrix: Use clipping s16 rematrixing if overflows are possible - swresample/rematrix: Use error diffusion to avoid error in the DC component of the matrix - hevc: Fix memory leak related to a53_caption data - libavformat/oggdec: Free stream private when header parsing fails. - avformat/utils: Check bps before using it in a shift in ff_get_pcm_codec_id() - avformat/oggparseopus: Check that granule pos is within the supported range - avcodec/mjpegdec: Do not try to detect last scan but apply idct after all scans for progressive jpeg - avformat/options_table: Add missing identifier for very strict compliance - avformat/ffmdec: Check pix_fmt - doc/general: update supported DCA extensions - avcodec/rscc: check input buffer size for deflate mode - avcodec/dca: fix sync word search error condition - lavf/mpegts: Return small probe score for very short transport streams. ** Affects: ffmpeg (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-5199 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-6164 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-6881 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648265 Title: FFmpeg security fixes December 2016 II To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1648265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs