[SCM] FFmpeg packaging branch, lenny, updated. debian/0.svn20080206-18-3-g6f84129
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Fri Dec 4 23:30:44 UTC 2009
The following commit has been merged in the lenny branch:
commit f32bb1cfad5b13f07a36e070c2d302b2922fb859
Author: Reinhard Tartler <siretart at tauware.de>
Date: Fri Dec 4 22:26:17 2009 +0100
backport security patches from ubuntu branch
The following patches have been dropped
security/libavcodec/mpegaudiodec/0002-Check-data_size-in-decode_frame_mp3on4.patch
security/libavformat/mov/0003-check-stream-existence-before-assignment-fix-1222.patch
security/libavcodec/vp3/0003-Make-sure-that-all-memory-allocations-succeed.patch
all other patches did either apply more or less cleanly, or have been
massaged to apply cleanly.
remove debian/patches/
diff --git a/debian/patches/security/libavcodec/ffv1/0001-Fix-a-possibly-exploitable-buffer-overflow.patch b/debian/patches/security/libavcodec/ffv1/0001-Fix-a-possibly-exploitable-buffer-overflow.patch
new file mode 100644
index 0000000..df8d3a5
--- /dev/null
+++ b/debian/patches/security/libavcodec/ffv1/0001-Fix-a-possibly-exploitable-buffer-overflow.patch
@@ -0,0 +1,24 @@
+From 97e433db7abb9095e2af61ef05ffeda2699588e4 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Tue, 21 Apr 2009 12:00:39 +0000
+Subject: [PATCH] Fix a possibly exploitable buffer overflow.
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@18640 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/ffv1.c | 3 +--
+ 1 files changed, 1 insertions(+), 2 deletions(-)
+
+--- a/libavcodec/ffv1.c
++++ b/libavcodec/ffv1.c
+@@ -251,10 +251,9 @@ static inline int get_symbol(RangeCoder
+ else{
+ int i, e, a;
+ e= 0;
+- while(get_rac(c, state+1 + e)){ //1..10
++ while(get_rac(c, state+1 + e) && e<9){ //1..10
+ e++;
+ }
+- assert(e<=9);
+
+ a= 1;
+ for(i=e-1; i>=0; i--){
diff --git a/debian/patches/security/libavcodec/h264/0001-Check-num_units_in_tick-time_scale-to-be-valid-and-w.patch b/debian/patches/security/libavcodec/h264/0001-Check-num_units_in_tick-time_scale-to-be-valid-and-w.patch
new file mode 100644
index 0000000..67d452d
--- /dev/null
+++ b/debian/patches/security/libavcodec/h264/0001-Check-num_units_in_tick-time_scale-to-be-valid-and-w.patch
@@ -0,0 +1,24 @@
+From 1259942b556eb7e58c74d09f0e160c204c7f0ac1 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 09:58:44 +0000
+Subject: [PATCH] Check num_units_in_tick/time_scale to be valid and within the range we support.
+ based on a patch by chrome
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19979 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/h264.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+--- a/libavcodec/h264.c
++++ b/libavcodec/h264.c
+@@ -7043,6 +7043,10 @@ static inline int decode_vui_parameters(
+ if(sps->timing_info_present_flag){
+ sps->num_units_in_tick = get_bits_long(&s->gb, 32);
+ sps->time_scale = get_bits_long(&s->gb, 32);
++ if(sps->num_units_in_tick-1 > 0x7FFFFFFEU || sps->time_scale-1 > 0x7FFFFFFEU){
++ av_log(h->s.avctx, AV_LOG_ERROR, "time_scale/num_units_in_tick inavlid or unsupported (%d/%d)\n", sps->time_scale, sps->num_units_in_tick);
++ return -1;
++ }
+ sps->fixed_frame_rate_flag = get_bits1(&s->gb);
+ }
+
diff --git a/debian/patches/security/libavcodec/mpegaudiodec/0001-check-data_size-in-decode_frame.patch b/debian/patches/security/libavcodec/mpegaudiodec/0001-check-data_size-in-decode_frame.patch
new file mode 100644
index 0000000..a451b44
--- /dev/null
+++ b/debian/patches/security/libavcodec/mpegaudiodec/0001-check-data_size-in-decode_frame.patch
@@ -0,0 +1,22 @@
+From af59b51d945929694b5533d3d28ea4215e42af67 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 11:29:38 +0000
+Subject: [PATCH 1/3] check data_size in decode_frame()
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19986 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/mpegaudiodec.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+--- a/libavcodec/mpegaudiodec.c
++++ b/libavcodec/mpegaudiodec.c
+@@ -2410,6 +2410,9 @@ retry:
+ break;
+ }
+
++ if(*data_size < 1152*avctx->channels*sizeof(OUT_INT))
++ return -1;
++
+ if(s->frame_size<=0 || s->frame_size > buf_size){
+ av_log(avctx, AV_LOG_ERROR, "incomplete frame\n");
+ return -1;
diff --git a/debian/patches/security/libavcodec/mpegaudiodec/0003-Set-data_size-to-0-to-avoid-having-it-uninitialized.patch b/debian/patches/security/libavcodec/mpegaudiodec/0003-Set-data_size-to-0-to-avoid-having-it-uninitialized.patch
new file mode 100644
index 0000000..ee37e99
--- /dev/null
+++ b/debian/patches/security/libavcodec/mpegaudiodec/0003-Set-data_size-to-0-to-avoid-having-it-uninitialized.patch
@@ -0,0 +1,21 @@
+From 7565e59ef9effe28962d7103f78c2d25e76524e0 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 11:44:30 +0000
+Subject: [PATCH 3/3] Set data_size to 0 to avoid having it uninitialized.
+ based on 31_mp3_outlen.patch by chrome.
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19988 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/mpegaudiodec.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+--- a/libavcodec/mpegaudiodec.c
++++ b/libavcodec/mpegaudiodec.c
+@@ -2412,6 +2412,7 @@ retry:
+
+ if(*data_size < 1152*avctx->channels*sizeof(OUT_INT))
+ return -1;
++ *data_size = 0;
+
+ if(s->frame_size<=0 || s->frame_size > buf_size){
+ av_log(avctx, AV_LOG_ERROR, "incomplete frame\n");
diff --git a/debian/patches/security/libavcodec/vorbis_dec/0001-Check-dimensions-against-0-too.patch b/debian/patches/security/libavcodec/vorbis_dec/0001-Check-dimensions-against-0-too.patch
new file mode 100644
index 0000000..f775087
--- /dev/null
+++ b/debian/patches/security/libavcodec/vorbis_dec/0001-Check-dimensions-against-0-too.patch
@@ -0,0 +1,24 @@
+From 68cb8f3c6c3bde792c0e918a441be3ede478f8cc Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 08:35:29 +0000
+Subject: [PATCH 01/12] Check dimensions against 0 too.
+ 39_vorbis_zero_dims.patch from chrome
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19976 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -255,8 +255,8 @@ static int vorbis_parse_setup_hdr_codebo
+ }
+
+ codebook_setup->dimensions=get_bits(gb, 16);
+- if (codebook_setup->dimensions>16) {
+- av_log(vc->avccontext, AV_LOG_ERROR, " %"PRIdFAST16". Codebook's dimension is too large (%d). \n", cb, codebook_setup->dimensions);
++ if (codebook_setup->dimensions>16||codebook_setup->dimensions==0) {
++ av_log(vc->avccontext, AV_LOG_ERROR, " %"PRIdFAST16". Codebook's dimension is invalid (%d). \n", cb, codebook_setup->dimensions);
+ goto error;
+ }
+ entries=get_bits(gb, 24);
diff --git a/debian/patches/security/libavcodec/vorbis_dec/0002-typo.patch b/debian/patches/security/libavcodec/vorbis_dec/0002-typo.patch
new file mode 100644
index 0000000..1618116
--- /dev/null
+++ b/debian/patches/security/libavcodec/vorbis_dec/0002-typo.patch
@@ -0,0 +1,22 @@
+From 0a7e56db7441d14afa66d228de17c63d5b49f8e9 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 10:33:49 +0000
+Subject: [PATCH 02/12] = -> == typo.
+ 27_vorbis_residue_loop_error.patch by chrome
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19982 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -1467,7 +1467,7 @@ static int vorbis_parse_audio_packet(vor
+ uint_fast8_t ch=0;
+
+ for(j=0;j<vc->audio_channels;++j) {
+- if ((mapping->submaps==1) || (i=mapping->mux[j])) {
++ if ((mapping->submaps==1) || (i==mapping->mux[j])) {
+ res_chan[j]=res_num;
+ if (no_residue[j]) {
+ do_not_decode[ch]=1;
diff --git a/debian/patches/security/libavcodec/vorbis_dec/0003-Sanity-checks-for-magnitude-and-angle.patch b/debian/patches/security/libavcodec/vorbis_dec/0003-Sanity-checks-for-magnitude-and-angle.patch
new file mode 100644
index 0000000..b14cb9f
--- /dev/null
+++ b/debian/patches/security/libavcodec/vorbis_dec/0003-Sanity-checks-for-magnitude-and-angle.patch
@@ -0,0 +1,29 @@
+From b8f5dcd9af3d9997143b42980aec5226f7bad677 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 10:40:33 +0000
+Subject: [PATCH 03/12] Sanity checks for magnitude and angle.
+ 26_vorbis_mag_angle_index.patch by chrome
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19983 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 9 ++++++++-
+ 1 files changed, 8 insertions(+), 1 deletions(-)
+
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -708,7 +708,14 @@ static int vorbis_parse_setup_hdr_mappin
+ for(j=0;j<mapping_setup->coupling_steps;++j) {
+ mapping_setup->magnitude[j]=get_bits(gb, ilog(vc->audio_channels-1));
+ mapping_setup->angle[j]=get_bits(gb, ilog(vc->audio_channels-1));
+- // FIXME: sanity checks
++ if (mapping_setup->magnitude[j]>=vc->audio_channels) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "magnitude channel %d out of range. \n", mapping_setup->magnitude[j]);
++ return 1;
++ }
++ if (mapping_setup->angle[j]>=vc->audio_channels) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "angle channel %d out of range. \n", mapping_setup->angle[j]);
++ return 1;
++ }
+ }
+ } else {
+ mapping_setup->coupling_steps=0;
diff --git a/debian/patches/security/libavcodec/vorbis_dec/0004-Fix-book_idx-check.patch b/debian/patches/security/libavcodec/vorbis_dec/0004-Fix-book_idx-check.patch
new file mode 100644
index 0000000..72d0e1b
--- /dev/null
+++ b/debian/patches/security/libavcodec/vorbis_dec/0004-Fix-book_idx-check.patch
@@ -0,0 +1,28 @@
+From a2dad711e92fbb83a2d79959bb67764d034a56e3 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 10:45:14 +0000
+Subject: [PATCH 04/12] Fix book_idx check.
+ 25_vorbis_floor0_index.patch by chrome.
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19984 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 5 ++---
+ 1 files changed, 2 insertions(+), 3 deletions(-)
+
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -564,12 +564,11 @@ static int vorbis_parse_setup_hdr_floors
+ uint_fast8_t book_idx;
+ for (idx=0;idx<floor_setup->data.t0.num_books;++idx) {
+ book_idx=get_bits(gb, 8);
++ if (book_idx>=vc->codebook_count)
++ return 1;
+ floor_setup->data.t0.book_list[idx]=book_idx;
+ if (vc->codebooks[book_idx].dimensions > max_codebook_dim)
+ max_codebook_dim=vc->codebooks[book_idx].dimensions;
+-
+- if (floor_setup->data.t0.book_list[idx]>vc->codebook_count)
+- return 1;
+ }
+ }
+
diff --git a/debian/patches/security/libavcodec/vorbis_dec/0005-Check-classbook-value.patch b/debian/patches/security/libavcodec/vorbis_dec/0005-Check-classbook-value.patch
new file mode 100644
index 0000000..b55792c
--- /dev/null
+++ b/debian/patches/security/libavcodec/vorbis_dec/0005-Check-classbook-value.patch
@@ -0,0 +1,24 @@
+From 093a791b172df483199fe81ac59ffcdbb63bf6c7 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 12:02:31 +0000
+Subject: [PATCH 05/12] Check classbook value.
+ 11_vorbis_residue_book_index.patch by chrome.
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19989 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -641,6 +641,10 @@ static int vorbis_parse_setup_hdr_residu
+ res_setup->partition_size=get_bits(gb, 24)+1;
+ res_setup->classifications=get_bits(gb, 6)+1;
+ res_setup->classbook=get_bits(gb, 8);
++ if (res_setup->classbook>=vc->codebook_count) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "classbook value %d out of range. \n", res_setup->classbook);
++ return 1;
++ }
+
+ AV_DEBUG(" begin %d end %d part.size %d classif.s %d classbook %d \n", res_setup->begin, res_setup->end, res_setup->partition_size,
+ res_setup->classifications, res_setup->classbook);
diff --git a/debian/patches/security/libavcodec/vorbis_dec/0006-Add-checks-for-per-packet-mode-indexes-and-per-heade.patch b/debian/patches/security/libavcodec/vorbis_dec/0006-Add-checks-for-per-packet-mode-indexes-and-per-heade.patch
new file mode 100644
index 0000000..2c14187
--- /dev/null
+++ b/debian/patches/security/libavcodec/vorbis_dec/0006-Add-checks-for-per-packet-mode-indexes-and-per-heade.patch
@@ -0,0 +1,38 @@
+From 6d7908b8de6d34b425e18c412c341ed34e4f1fe4 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 12:09:33 +0000
+Subject: [PATCH 06/12] Add checks for per-packet mode indexes and per-header mode mapping indexes.
+ 12_vorbis_mode_indexes.patch by chrome
+ maybe exploitable
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19990 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 10 +++++++++-
+ 1 files changed, 9 insertions(+), 1 deletions(-)
+
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -804,7 +804,11 @@ static int vorbis_parse_setup_hdr_modes(
+ mode_setup->blockflag=get_bits1(gb);
+ mode_setup->windowtype=get_bits(gb, 16); //FIXME check
+ mode_setup->transformtype=get_bits(gb, 16); //FIXME check
+- mode_setup->mapping=get_bits(gb, 8); //FIXME check
++ mode_setup->mapping=get_bits(gb, 8);
++ if (mode_setup->mapping>=vc->mapping_count) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "mode mapping value %d out of range. \n", mode_setup->mapping);
++ return 1;
++ }
+
+ AV_DEBUG(" %d mode: blockflag %d, windowtype %d, transformtype %d, mapping %d \n", i, mode_setup->blockflag, mode_setup->windowtype, mode_setup->transformtype, mode_setup->mapping);
+ }
+@@ -1433,6 +1437,10 @@ static int vorbis_parse_audio_packet(vor
+ } else {
+ mode_number=get_bits(gb, ilog(vc->mode_count-1));
+ }
++ if (mode_number>=vc->mode_count) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "mode number %d out of range.\n", mode_number);
++ return -1;
++ }
+ vc->mode_number=mode_number;
+ mapping=&vc->mappings[vc->modes[mode_number].mapping];
+
diff --git a/debian/patches/security/libavcodec/vorbis_dec/0007-Check-masterbook-index-and-subclass-book-index.patch b/debian/patches/security/libavcodec/vorbis_dec/0007-Check-masterbook-index-and-subclass-book-index.patch
new file mode 100644
index 0000000..c3d8475
--- /dev/null
+++ b/debian/patches/security/libavcodec/vorbis_dec/0007-Check-masterbook-index-and-subclass-book-index.patch
@@ -0,0 +1,39 @@
+From 8ff644b871f3afe9529e451d86efb2f08014b53b Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 12:17:54 +0000
+Subject: [PATCH 07/12] Check masterbook index and subclass book index.
+ 14_floor_masterbook_index.patch by chrome
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19991 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 14 ++++++++++++--
+ 1 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -498,13 +498,23 @@ static int vorbis_parse_setup_hdr_floors
+ AV_DEBUG(" %d floor %d class dim: %d subclasses %d \n", i, j, floor_setup->data.t1.class_dimensions[j], floor_setup->data.t1.class_subclasses[j]);
+
+ if (floor_setup->data.t1.class_subclasses[j]) {
+- floor_setup->data.t1.class_masterbook[j]=get_bits(gb, 8);
++ int bits=get_bits(gb, 8);
++ if (bits>=vc->codebook_count) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "Masterbook index %d is out of range.\n", bits);
++ return 1;
++ }
++ floor_setup->data.t1.class_masterbook[j]=bits;
+
+ AV_DEBUG(" masterbook: %d \n", floor_setup->data.t1.class_masterbook[j]);
+ }
+
+ for(k=0;k<(1<<floor_setup->data.t1.class_subclasses[j]);++k) {
+- floor_setup->data.t1.subclass_books[j][k]=(int16_t)get_bits(gb, 8)-1;
++ int16_t bits=get_bits(gb, 8)-1;
++ if (bits!=-1 && bits>=vc->codebook_count) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "Subclass book index %d is out of range.\n", bits);
++ return 1;
++ }
++ floor_setup->data.t1.subclass_books[j][k]=bits;
+
+ AV_DEBUG(" book %d. : %d \n", k, floor_setup->data.t1.subclass_books[j][k]);
+ }
diff --git a/debian/patches/security/libavcodec/vorbis_dec/0008-Check-res_setup-books.patch b/debian/patches/security/libavcodec/vorbis_dec/0008-Check-res_setup-books.patch
new file mode 100644
index 0000000..08a996f
--- /dev/null
+++ b/debian/patches/security/libavcodec/vorbis_dec/0008-Check-res_setup-books.patch
@@ -0,0 +1,27 @@
+From ecd690a24a440553e0ba587e13dc5b2ec279f0a8 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 12:24:21 +0000
+Subject: [PATCH 08/12] Check res_setup->books.
+ 15_more_residue_book_indexes.patch by chrome.
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19992 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -674,7 +674,12 @@ static int vorbis_parse_setup_hdr_residu
+ for(j=0;j<res_setup->classifications;++j) {
+ for(k=0;k<8;++k) {
+ if (cascade[j]&(1<<k)) {
+- res_setup->books[j][k]=get_bits(gb, 8);
++ int bits=get_bits(gb, 8);
++ if (bits>=vc->codebook_count) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "book value %d out of range. \n", bits);
++ return 1;
++ }
++ res_setup->books[j][k]=bits;
+
+ AV_DEBUG(" %d class casscade depth %d book: %d \n", j, k, res_setup->books[j][k]);
+
diff --git a/debian/patches/security/libavcodec/vorbis_dec/0009-Check-begin-end-partition_size.patch b/debian/patches/security/libavcodec/vorbis_dec/0009-Check-begin-end-partition_size.patch
new file mode 100644
index 0000000..a8f3c6f
--- /dev/null
+++ b/debian/patches/security/libavcodec/vorbis_dec/0009-Check-begin-end-partition_size.patch
@@ -0,0 +1,38 @@
+From d71f5b5b2b9f2e0ba2da67ca2c15b9bbb69ac1fc Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 13:08:48 +0000
+Subject: [PATCH 09/12] Check begin/end/partition_size.
+ 23_vorbis_sane_partition.patch by chrome.
+ Also this should be better documented but i prefer not to leave potential
+ security issues open due to missing documentation.
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19996 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 9 +++++++++
+ 1 files changed, 9 insertions(+), 0 deletions(-)
+
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -37,6 +37,7 @@
+ #define V_NB_BITS 8
+ #define V_NB_BITS2 11
+ #define V_MAX_VLCS (1<<16)
++#define V_MAX_PARTITIONS (1<<20)
+
+ #ifndef V_DEBUG
+ #define AV_DEBUG(...)
+@@ -649,6 +650,14 @@ static int vorbis_parse_setup_hdr_residu
+ res_setup->begin=get_bits(gb, 24);
+ res_setup->end=get_bits(gb, 24);
+ res_setup->partition_size=get_bits(gb, 24)+1;
++ /* Validations to prevent a buffer overflow later. */
++ if (res_setup->begin>res_setup->end
++ || res_setup->end>vc->blocksize[1]/(res_setup->type==2?1:2)
++ || (res_setup->end-res_setup->begin)/res_setup->partition_size>V_MAX_PARTITIONS) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %d, %d, %d, %d, %d\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1]/2);
++ return 1;
++ }
++
+ res_setup->classifications=get_bits(gb, 6)+1;
+ res_setup->classbook=get_bits(gb, 8);
+ if (res_setup->classbook>=vc->codebook_count) {
diff --git a/debian/patches/security/libavcodec/vorbis_dec/0010-Make-error-return-sign-consistent.patch b/debian/patches/security/libavcodec/vorbis_dec/0010-Make-error-return-sign-consistent.patch
new file mode 100644
index 0000000..49f8515
--- /dev/null
+++ b/debian/patches/security/libavcodec/vorbis_dec/0010-Make-error-return-sign-consistent.patch
@@ -0,0 +1,251 @@
+From 213d02328757c6b212ac6d4bb7ec23f70080fb25 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 13:18:29 +0000
+Subject: [PATCH 10/12] Make error return sign consistent.
+
+edited by siretart at tauware.de to apply to 0.5
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19997 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 60 +++++++++++++++++++++++-----------------------
+ 1 files changed, 30 insertions(+), 30 deletions(-)
+
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -424,7 +424,7 @@ static int vorbis_parse_setup_hdr_codebo
+ error:
+ av_free(tmp_vlc_bits);
+ av_free(tmp_vlc_codes);
+- return 1;
++ return -1;
+ }
+
+ // Process time domain transforms part (unused in Vorbis I)
+@@ -441,7 +441,7 @@ static int vorbis_parse_setup_hdr_tdtran
+
+ if (vorbis_tdtransform) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "Vorbis time domain transform data nonzero. \n");
+- return 1;
++ return -1;
+ }
+ }
+ return 0;
+@@ -502,7 +502,7 @@ static int vorbis_parse_setup_hdr_floors
+ int bits=get_bits(gb, 8);
+ if (bits>=vc->codebook_count) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "Masterbook index %d is out of range.\n", bits);
+- return 1;
++ return -1;
+ }
+ floor_setup->data.t1.class_masterbook[j]=bits;
+
+@@ -513,7 +513,7 @@ static int vorbis_parse_setup_hdr_floors
+ int16_t bits=get_bits(gb, 8)-1;
+ if (bits!=-1 && bits>=vc->codebook_count) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "Subclass book index %d is out of range.\n", bits);
+- return 1;
++ return -1;
+ }
+ floor_setup->data.t1.subclass_books[j][k]=bits;
+
+@@ -560,7 +560,7 @@ static int vorbis_parse_setup_hdr_floors
+ if (floor_setup->data.t0.amplitude_bits == 0) {
+ av_log(vc->avccontext, AV_LOG_ERROR,
+ "Floor 0 amplitude bits is 0.\n");
+- return 1;
++ return -1;
+ }
+ floor_setup->data.t0.amplitude_offset=get_bits(gb, 8);
+ floor_setup->data.t0.num_books=get_bits(gb, 4)+1;
+@@ -568,7 +568,7 @@ static int vorbis_parse_setup_hdr_floors
+ /* allocate mem for booklist */
+ floor_setup->data.t0.book_list=
+ av_malloc(floor_setup->data.t0.num_books);
+- if(!floor_setup->data.t0.book_list) { return 1; }
++ if(!floor_setup->data.t0.book_list) { return -1; }
+ /* read book indexes */
+ {
+ int idx;
+@@ -576,7 +576,7 @@ static int vorbis_parse_setup_hdr_floors
+ for (idx=0;idx<floor_setup->data.t0.num_books;++idx) {
+ book_idx=get_bits(gb, 8);
+ if (book_idx>=vc->codebook_count)
+- return 1;
++ return -1;
+ floor_setup->data.t0.book_list[idx]=book_idx;
+ if (vc->codebooks[book_idx].dimensions > max_codebook_dim)
+ max_codebook_dim=vc->codebooks[book_idx].dimensions;
+@@ -592,7 +592,7 @@ static int vorbis_parse_setup_hdr_floors
+ floor_setup->data.t0.lsp=
+ av_malloc((floor_setup->data.t0.order+1 + max_codebook_dim)
+ * sizeof(float));
+- if(!floor_setup->data.t0.lsp) { return 1; }
++ if(!floor_setup->data.t0.lsp) { return -1; }
+ }
+
+ #ifdef V_DEBUG /* debug output parsed headers */
+@@ -620,7 +620,7 @@ static int vorbis_parse_setup_hdr_floors
+ }
+ else {
+ av_log(vc->avccontext, AV_LOG_ERROR, "Invalid floor type!\n");
+- return 1;
++ return -1;
+ }
+ }
+ return 0;
+@@ -655,14 +655,14 @@ static int vorbis_parse_setup_hdr_residu
+ || res_setup->end>vc->blocksize[1]/(res_setup->type==2?1:2)
+ || (res_setup->end-res_setup->begin)/res_setup->partition_size>V_MAX_PARTITIONS) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %d, %d, %d, %d, %d\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1]/2);
+- return 1;
++ return -1;
+ }
+
+ res_setup->classifications=get_bits(gb, 6)+1;
+ res_setup->classbook=get_bits(gb, 8);
+ if (res_setup->classbook>=vc->codebook_count) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "classbook value %d out of range. \n", res_setup->classbook);
+- return 1;
++ return -1;
+ }
+
+ AV_DEBUG(" begin %d end %d part.size %d classif.s %d classbook %d \n", res_setup->begin, res_setup->end, res_setup->partition_size,
+@@ -686,7 +686,7 @@ static int vorbis_parse_setup_hdr_residu
+ int bits=get_bits(gb, 8);
+ if (bits>=vc->codebook_count) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "book value %d out of range. \n", bits);
+- return 1;
++ return -1;
+ }
+ res_setup->books[j][k]=bits;
+
+@@ -720,7 +720,7 @@ static int vorbis_parse_setup_hdr_mappin
+
+ if (get_bits(gb, 16)) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "Other mappings than type 0 are not compliant with the Vorbis I specification. \n");
+- return 1;
++ return -1;
+ }
+ if (get_bits1(gb)) {
+ mapping_setup->submaps=get_bits(gb, 4)+1;
+@@ -737,11 +737,11 @@ static int vorbis_parse_setup_hdr_mappin
+ mapping_setup->angle[j]=get_bits(gb, ilog(vc->audio_channels-1));
+ if (mapping_setup->magnitude[j]>=vc->audio_channels) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "magnitude channel %d out of range. \n", mapping_setup->magnitude[j]);
+- return 1;
++ return -1;
+ }
+ if (mapping_setup->angle[j]>=vc->audio_channels) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "angle channel %d out of range. \n", mapping_setup->angle[j]);
+- return 1;
++ return -1;
+ }
+ }
+ } else {
+@@ -752,7 +752,7 @@ static int vorbis_parse_setup_hdr_mappin
+
+ if(get_bits(gb, 2)) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "%d. mapping setup data invalid. \n", i);
+- return 1; // following spec.
++ return -1; // following spec.
+ }
+
+ if (mapping_setup->submaps>1) {
+@@ -831,7 +831,7 @@ static int vorbis_parse_setup_hdr_modes(
+ mode_setup->mapping=get_bits(gb, 8);
+ if (mode_setup->mapping>=vc->mapping_count) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "mode mapping value %d out of range. \n", mode_setup->mapping);
+- return 1;
++ return -1;
+ }
+
+ AV_DEBUG(" %d mode: blockflag %d, windowtype %d, transformtype %d, mapping %d \n", i, mode_setup->blockflag, mode_setup->windowtype, mode_setup->transformtype, mode_setup->mapping);
+@@ -848,36 +848,36 @@ static int vorbis_parse_setup_hdr(vorbis
+ (get_bits(gb, 8)!='r') || (get_bits(gb, 8)!='b') ||
+ (get_bits(gb, 8)!='i') || (get_bits(gb, 8)!='s')) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis setup header packet corrupt (no vorbis signature). \n");
+- return 1;
++ return -1;
+ }
+
+ if (vorbis_parse_setup_hdr_codebooks(vc)) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis setup header packet corrupt (codebooks). \n");
+- return 2;
++ return -2;
+ }
+ if (vorbis_parse_setup_hdr_tdtransforms(vc)) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis setup header packet corrupt (time domain transforms). \n");
+- return 3;
++ return -3;
+ }
+ if (vorbis_parse_setup_hdr_floors(vc)) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis setup header packet corrupt (floors). \n");
+- return 4;
++ return -4;
+ }
+ if (vorbis_parse_setup_hdr_residues(vc)) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis setup header packet corrupt (residues). \n");
+- return 5;
++ return -5;
+ }
+ if (vorbis_parse_setup_hdr_mappings(vc)) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis setup header packet corrupt (mappings). \n");
+- return 6;
++ return -6;
+ }
+ if (vorbis_parse_setup_hdr_modes(vc)) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis setup header packet corrupt (modes). \n");
+- return 7;
++ return -7;
+ }
+ if (!get_bits1(gb)) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis setup header packet corrupt (framing flag). \n");
+- return 8; // framing flag bit unset error
++ return -8; // framing flag bit unset error
+ }
+
+ return 0;
+@@ -893,7 +893,7 @@ static int vorbis_parse_id_hdr(vorbis_co
+ (get_bits(gb, 8)!='r') || (get_bits(gb, 8)!='b') ||
+ (get_bits(gb, 8)!='i') || (get_bits(gb, 8)!='s')) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis id header packet corrupt (no vorbis signature). \n");
+- return 1;
++ return -1;
+ }
+
+ vc->version=get_bits_long(gb, 32); //FIXME check 0
+@@ -908,14 +908,14 @@ static int vorbis_parse_id_hdr(vorbis_co
+ vc->blocksize[1]=(1<<bl1);
+ if (bl0>13 || bl0<6 || bl1>13 || bl1<6 || bl1<bl0) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis id header packet corrupt (illegal blocksize). \n");
+- return 3;
++ return -3;
+ }
+ // output format int16
+ if (vc->blocksize[1]/2 * vc->audio_channels * 2 >
+ AVCODEC_MAX_AUDIO_FRAME_SIZE) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "Vorbis channel count makes "
+ "output packets too large.\n");
+- return 4;
++ return -4;
+ }
+ vc->win[0]=ff_vorbis_vwin[bl0-6];
+ vc->win[1]=ff_vorbis_vwin[bl1-6];
+@@ -932,7 +932,7 @@ static int vorbis_parse_id_hdr(vorbis_co
+
+ if ((get_bits1(gb)) == 0) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis id header packet corrupt (framing flag not set). \n");
+- return 2;
++ return -2;
+ }
+
+ vc->channel_residues= av_malloc((vc->blocksize[1]/2)*vc->audio_channels * sizeof(float));
+@@ -1392,7 +1392,7 @@ static int vorbis_residue_decode(vorbis_
+ }
+ } else {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Invalid residue type while residue decode?! \n");
+- return 1;
++ return -1;
+ }
+ }
+ }
diff --git a/debian/patches/security/libavcodec/vorbis_dec/0011-Check-submap-indexes.patch b/debian/patches/security/libavcodec/vorbis_dec/0011-Check-submap-indexes.patch
new file mode 100644
index 0000000..5297c65
--- /dev/null
+++ b/debian/patches/security/libavcodec/vorbis_dec/0011-Check-submap-indexes.patch
@@ -0,0 +1,38 @@
+From c1fe0583d44a67f94047bd3e59f2b53f304db4ec Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 14:19:17 +0000
+Subject: [PATCH 11/12] Check submap indexes.
+ 10_vorbis_submap_indexes.patch by chrome.
+ Iam applying this even though reimar had some comments to improve it as it fixes
+ a serious security issue and i do not want to leave such things unfixed.
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@20001 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 15 +++++++++++++--
+ 1 files changed, 13 insertions(+), 2 deletions(-)
+
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -763,9 +763,20 @@ static int vorbis_parse_setup_hdr_mappin
+ }
+
+ for(j=0;j<mapping_setup->submaps;++j) {
++ int bits;
+ skip_bits(gb, 8); // FIXME check?
+- mapping_setup->submap_floor[j]=get_bits(gb, 8);
+- mapping_setup->submap_residue[j]=get_bits(gb, 8);
++ bits=get_bits(gb, 8);
++ if (bits>=vc->floor_count) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "submap floor value %d out of range. \n", bits);
++ return -1;
++ }
++ mapping_setup->submap_floor[j]=bits;
++ bits=get_bits(gb, 8);
++ if (bits>=vc->residue_count) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "submap residue value %d out of range. \n", bits);
++ return -1;
++ }
++ mapping_setup->submap_residue[j]=bits;
+
+ AV_DEBUG(" %d mapping %d submap : floor %d, residue %d \n", i, j, mapping_setup->submap_floor[j], mapping_setup->submap_residue[j]);
+ }
diff --git a/debian/patches/security/libavcodec/vorbis_dec/0012-Fix-format-string-to-match-the-types-printed.patch b/debian/patches/security/libavcodec/vorbis_dec/0012-Fix-format-string-to-match-the-types-printed.patch
new file mode 100644
index 0000000..12764b1
--- /dev/null
+++ b/debian/patches/security/libavcodec/vorbis_dec/0012-Fix-format-string-to-match-the-types-printed.patch
@@ -0,0 +1,21 @@
+From c2ca1c6ee96c27ec872012dbc5a8b15fdb15eca9 Mon Sep 17 00:00:00 2001
+From: reimar <reimar at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 15:30:38 +0000
+Subject: [PATCH 12/12] Fix format string to match the types printed.
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@20003 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -654,7 +654,7 @@ static int vorbis_parse_setup_hdr_residu
+ if (res_setup->begin>res_setup->end
+ || res_setup->end>vc->blocksize[1]/(res_setup->type==2?1:2)
+ || (res_setup->end-res_setup->begin)/res_setup->partition_size>V_MAX_PARTITIONS) {
+- av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %d, %d, %d, %d, %d\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1]/2);
++ av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %"PRIdFAST16", %"PRIdFAST32", %"PRIdFAST32", %"PRIdFAST32", %"PRIdFAST32"\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1]/2);
+ return -1;
+ }
+
diff --git a/debian/patches/security/libavcodec/vp3/0001-Fix-init_get_bits-buffer-size.patch b/debian/patches/security/libavcodec/vp3/0001-Fix-init_get_bits-buffer-size.patch
new file mode 100644
index 0000000..e97b595
--- /dev/null
+++ b/debian/patches/security/libavcodec/vp3/0001-Fix-init_get_bits-buffer-size.patch
@@ -0,0 +1,22 @@
+From 351a67a951b4b95bc0cb05127445b685f362f9b9 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 12:27:10 +0000
+Subject: [PATCH 1/3] Fix init_get_bits() buffer size.
+ 18_fix_theora_header_bit_len.patch by chrome
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19993 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vp3.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+--- a/libavcodec/vp3.c
++++ b/libavcodec/vp3.c
+@@ -2585,7 +2585,7 @@ static int theora_decode_init(AVCodecCon
+ }
+
+ for(i=0;i<3;i++) {
+- init_get_bits(&gb, header_start[i], header_len[i]);
++ init_get_bits(&gb, header_start[i], header_len[i] * 8);
+
+ ptype = get_bits(&gb, 8);
+ debug_vp3("Theora headerpacket type: %x\n", ptype);
diff --git a/debian/patches/security/libavformat/mov/0000-MOV-Support-stz2-Compact-Sample-Size-Box.patch b/debian/patches/security/libavformat/mov/0000-MOV-Support-stz2-Compact-Sample-Size-Box.patch
new file mode 100644
index 0000000..104f02a
--- /dev/null
+++ b/debian/patches/security/libavformat/mov/0000-MOV-Support-stz2-Compact-Sample-Size-Box.patch
@@ -0,0 +1,96 @@
+From 1e6a8e7b1f40e16f79ff63080d58126e8b52ad2c Mon Sep 17 00:00:00 2001
+From: alexc <alexc at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Mon, 16 Mar 2009 16:14:36 +0000
+Subject: [PATCH] MOV: Support stz2 "Compact Sample Size Box"
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@18016 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavformat/mov.c | 38 ++++++++++++++++++++++++++++++++++++--
+ 1 files changed, 36 insertions(+), 2 deletions(-)
+
+--- a/libavformat/mov.c
++++ b/libavformat/mov.c
+@@ -27,6 +27,7 @@
+ #include "riff.h"
+ #include "isom.h"
+ #include "dv.h"
++#include "bitstream.h"
+
+ #ifdef CONFIG_ZLIB
+ #include <zlib.h>
+@@ -926,31 +927,62 @@ static int mov_read_stsz(MOVContext *c,
+ {
+ AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+ MOVStreamContext *sc = st->priv_data;
+- unsigned int i, entries, sample_size;
++ unsigned int i, entries, sample_size, field_size, num_bytes;
++ GetBitContext gb;
++ unsigned char* buf;
+
+ get_byte(pb); /* version */
+ get_byte(pb); get_byte(pb); get_byte(pb); /* flags */
+
++ if (atom.type == MKTAG('s','t','s','z')) {
+ sample_size = get_be32(pb);
+ if (!sc->sample_size) /* do not overwrite value computed in stsd */
+ sc->sample_size = sample_size;
++ field_size = 32;
++ } else {
++ sample_size = 0;
++ get_be24(pb); /* reserved */
++ field_size = get_byte(pb);
++ }
+ entries = get_be32(pb);
+ if(entries >= UINT_MAX / sizeof(int))
+ return -1;
+
+ sc->sample_count = entries;
++ dprintf(c->fc, "sample_size = %d sample_count = %d\n", sc->sample_size, sc->sample_count);
+ if (sample_size)
+ return 0;
+
+- dprintf(c->fc, "sample_size = %d sample_count = %d\n", sc->sample_size, sc->sample_count);
++ if (field_size != 4 && field_size != 8 && field_size != 16 && field_size != 32) {
++ av_log(c->fc, AV_LOG_ERROR, "Invalid sample field size %d\n", field_size);
++ return -1;
++ }
+
++ if(entries >= UINT_MAX / sizeof(int))
++ return -1;
+ sc->sample_sizes = av_malloc(entries * sizeof(int));
+ if (!sc->sample_sizes)
+ return -1;
+- for(i=0; i<entries; i++) {
+- sc->sample_sizes[i] = get_be32(pb);
+- dprintf(c->fc, "sample_sizes[]=%d\n", sc->sample_sizes[i]);
++ num_bytes = (entries*field_size+4)>>3;
++
++ buf = av_malloc(num_bytes);
++ if (!buf) {
++ av_freep(&sc->sample_sizes);
++ return AVERROR(ENOMEM);
+ }
++
++ if (get_buffer(pb, buf, num_bytes) < num_bytes) {
++ av_freep(&sc->sample_sizes);
++ av_free(buf);
++ return -1;
++ }
++
++ init_get_bits(&gb, buf, 8*num_bytes);
++
++ for(i=0; i<entries; i++)
++ sc->sample_sizes[i] = get_bits_long(&gb, field_size);
++
++ av_free(buf);
+ return 0;
+ }
+
+@@ -1262,6 +1294,7 @@ static const MOVParseTableEntry mov_defa
+ { MKTAG( 's', 't', 's', 's' ), mov_read_stss }, /* sync sample */
+ { MKTAG( 's', 't', 's', 'z' ), mov_read_stsz }, /* sample size */
+ { MKTAG( 's', 't', 't', 's' ), mov_read_stts },
++{ MKTAG( 's', 't', 'z', '2' ), mov_read_stsz }, /* compact sample size */
+ { MKTAG( 't', 'k', 'h', 'd' ), mov_read_tkhd }, /* track header */
+ { MKTAG( 't', 'r', 'a', 'k' ), mov_read_trak },
+ { MKTAG( 'u', 'd', 't', 'a' ), mov_read_udta },
diff --git a/debian/patches/security/libavformat/mov/0001-check-entries-against-field_size-potential-malloc-ov.patch b/debian/patches/security/libavformat/mov/0001-check-entries-against-field_size-potential-malloc-ov.patch
new file mode 100644
index 0000000..55e929d
--- /dev/null
+++ b/debian/patches/security/libavformat/mov/0001-check-entries-against-field_size-potential-malloc-ov.patch
@@ -0,0 +1,21 @@
+From 59a7d76f26091bb379e41e546c561d6987b2df3b Mon Sep 17 00:00:00 2001
+From: bcoudurier <bcoudurier at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Mon, 7 Sep 2009 22:42:51 +0000
+Subject: [PATCH] check entries against field_size, potential malloc overflow in read_stsz, fix #1357
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19793 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavformat/mov.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+--- a/libavformat/mov.c
++++ b/libavformat/mov.c
+@@ -958,7 +958,7 @@ static int mov_read_stsz(MOVContext *c,
+ return -1;
+ }
+
+- if(entries >= UINT_MAX / sizeof(int))
++ if (entries >= UINT_MAX / sizeof(int) || entries >= (UINT_MAX - 4) / field_size)
+ return -1;
+ sc->sample_sizes = av_malloc(entries * sizeof(int));
+ if (!sc->sample_sizes)
diff --git a/debian/patches/security/libavformat/mov/0002-add-one-missing-check-for-stream-existence-in-read_e.patch b/debian/patches/security/libavformat/mov/0002-add-one-missing-check-for-stream-existence-in-read_e.patch
new file mode 100644
index 0000000..a1a9170
--- /dev/null
+++ b/debian/patches/security/libavformat/mov/0002-add-one-missing-check-for-stream-existence-in-read_e.patch
@@ -0,0 +1,27 @@
+From b601744633167a1b37bc171d298872d57522400e Mon Sep 17 00:00:00 2001
+From: bcoudurier <bcoudurier at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Mon, 7 Sep 2009 22:36:33 +0000
+Subject: [PATCH] add one missing check for stream existence in read_elst, fix #1364
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19792 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavformat/mov.c | 6 +++++-
+ 1 files changed, 5 insertions(+), 1 deletions(-)
+
+--- a/libavformat/mov.c
++++ b/libavformat/mov.c
+@@ -1250,9 +1250,13 @@ static int mov_read_cmov(MOVContext *c,
+ /* edit list atom */
+ static int mov_read_elst(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
+ {
+- MOVStreamContext *sc = c->fc->streams[c->fc->nb_streams-1]->priv_data;
++ MOVStreamContext *sc;
+ int i, edit_count;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ sc = c->fc->streams[c->fc->nb_streams-1]->priv_data;
++
+ get_byte(pb); /* version */
+ get_byte(pb); get_byte(pb); get_byte(pb); /* flags */
+ edit_count= sc->edit_count = get_be32(pb); /* entries */
diff --git a/debian/patches/security/libavformat/mov/0003-check-stream-existence-before-assignment-fix-1222.patch b/debian/patches/security/libavformat/mov/0003-check-stream-existence-before-assignment-fix-1222.patch
new file mode 100644
index 0000000..1242c16
--- /dev/null
+++ b/debian/patches/security/libavformat/mov/0003-check-stream-existence-before-assignment-fix-1222.patch
@@ -0,0 +1,287 @@
+From 83b7e34ccb8f63f24d91dfc4dd89a4971f36ce12 Mon Sep 17 00:00:00 2001
+From: bcoudurier <bcoudurier at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 24 Jun 2009 03:38:47 +0000
+Subject: [PATCH] check stream existence before assignment, fix #1222
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19259 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavformat/mov.c | 136 +++++++++++++++++++++++++++++++++++++++++-----------
+ 1 files changed, 107 insertions(+), 29 deletions(-)
+
+--- a/libavformat/mov.c
++++ b/libavformat/mov.c
+@@ -239,10 +239,15 @@ static int mov_read_default(MOVContext *
+
+ static int mov_read_dref(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- MOVStreamContext *sc = st->priv_data;
++ AVStream *st;
++ MOVStreamContext *sc;
+ int entries, i, j;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++ sc = st->priv_data;
++
+ get_be32(pb); // version + flags
+ entries = get_be32(pb);
+ if (entries >= UINT_MAX / sizeof(*sc->drefs))
+@@ -382,9 +387,13 @@ static const AVCodecTag mp4_audio_types[
+
+ static int mov_read_esds(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
++ AVStream *st;
+ int tag, len;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++
+ get_be32(pb); /* version + flags */
+ len = mp4_read_descr(c, pb, &tag);
+ if (tag == MP4ESDescrTag) {
+@@ -441,7 +450,12 @@ static int mov_read_pasp(MOVContext *c,
+ {
+ const int num = get_be32(pb);
+ const int den = get_be32(pb);
+- AVStream * const st = c->fc->streams[c->fc->nb_streams-1];
++ AVStream *st;
++
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++
+ if (den != 0) {
+ if ((st->sample_aspect_ratio.den != 1 || st->sample_aspect_ratio.num) && // default
+ (den != st->sample_aspect_ratio.den || num != st->sample_aspect_ratio.num))
+@@ -495,12 +509,18 @@ static int mov_read_moof(MOVContext *c,
+
+ static int mov_read_mdhd(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- MOVStreamContext *sc = st->priv_data;
+- int version = get_byte(pb);
++ AVStream *st;
++ MOVStreamContext *sc;
++ int version;
+ char language[4] = {0};
+ unsigned lang;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++ sc = st->priv_data;
++
++ version = get_byte(pb);
+ if (version > 1)
+ return -1; /* unsupported */
+
+@@ -562,7 +582,11 @@ static int mov_read_mvhd(MOVContext *c,
+
+ static int mov_read_smi(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
++ AVStream *st;
++
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
+
+ if((uint64_t)atom.size > (1<<30))
+ return -1;
+@@ -582,9 +606,14 @@ static int mov_read_smi(MOVContext *c, B
+
+ static int mov_read_enda(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- int little_endian = get_be16(pb);
++ AVStream *st;
++ int little_endian;
++
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
+
++ little_endian = get_be16(pb);
+ dprintf(c->fc, "enda %d\n", little_endian);
+ if (little_endian == 1) {
+ switch (st->codec->codec_id) {
+@@ -634,7 +663,11 @@ static int mov_read_extradata(MOVContext
+
+ static int mov_read_wave(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
++ AVStream *st;
++
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
+
+ if((uint64_t)atom.size > (1<<30))
+ return -1;
+@@ -661,7 +694,11 @@ static int mov_read_wave(MOVContext *c,
+ */
+ static int mov_read_glbl(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
++ AVStream *st;
++
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
+
+ if((uint64_t)atom.size > (1<<30))
+ return -1;
+@@ -677,10 +714,15 @@ static int mov_read_glbl(MOVContext *c,
+
+ static int mov_read_stco(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- MOVStreamContext *sc = st->priv_data;
++ AVStream *st;
++ MOVStreamContext *sc;
+ unsigned int i, entries;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++ sc = st->priv_data;
++
+ get_byte(pb); /* version */
+ get_be24(pb); /* flags */
+
+@@ -743,10 +785,15 @@ static enum CodecID mov_get_lpcm_codec_i
+
+ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- MOVStreamContext *sc = st->priv_data;
++ AVStream *st;
++ MOVStreamContext *sc;
+ int j, entries, pseudo_stream_id;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++ sc = st->priv_data;
++
+ get_byte(pb); /* version */
+ get_be24(pb); /* flags */
+
+@@ -1065,10 +1112,15 @@ static int mov_read_stsd(MOVContext *c,
+
+ static int mov_read_stsc(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- MOVStreamContext *sc = st->priv_data;
++ AVStream *st;
++ MOVStreamContext *sc;
+ unsigned int i, entries;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++ sc = st->priv_data;
++
+ get_byte(pb); /* version */
+ get_be24(pb); /* flags */
+
+@@ -1093,10 +1145,15 @@ static int mov_read_stsc(MOVContext *c,
+
+ static int mov_read_stss(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- MOVStreamContext *sc = st->priv_data;
++ AVStream *st;
++ MOVStreamContext *sc;
+ unsigned int i, entries;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++ sc = st->priv_data;
++
+ get_byte(pb); /* version */
+ get_be24(pb); /* flags */
+
+@@ -1120,12 +1177,17 @@ static int mov_read_stss(MOVContext *c,
+
+ static int mov_read_stsz(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- MOVStreamContext *sc = st->priv_data;
++ AVStream *st;
++ MOVStreamContext *sc;
+ unsigned int i, entries, sample_size, field_size, num_bytes;
+ GetBitContext gb;
+ unsigned char* buf;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++ sc = st->priv_data;
++
+ get_byte(pb); /* version */
+ get_be24(pb); /* flags */
+
+@@ -1183,12 +1245,17 @@ static int mov_read_stsz(MOVContext *c,
+
+ static int mov_read_stts(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- MOVStreamContext *sc = st->priv_data;
++ AVStream *st;
++ MOVStreamContext *sc;
+ unsigned int i, entries;
+ int64_t duration=0;
+ int64_t total_sample_count=0;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++ sc = st->priv_data;
++
+ get_byte(pb); /* version */
+ get_be24(pb); /* flags */
+ entries = get_be32(pb);
+@@ -1227,10 +1294,15 @@ static int mov_read_stts(MOVContext *c,
+
+ static int mov_read_ctts(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
+ {
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- MOVStreamContext *sc = st->priv_data;
++ AVStream *st;
++ MOVStreamContext *sc;
+ unsigned int i, entries;
+
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++ sc = st->priv_data;
++
+ get_byte(pb); /* version */
+ get_be24(pb); /* flags */
+ entries = get_be32(pb);
+@@ -1537,10 +1609,16 @@ static int mov_read_tkhd(MOVContext *c,
+ int height;
+ int64_t disp_transform[2];
+ int display_matrix[3][2];
+- AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+- MOVStreamContext *sc = st->priv_data;
+- int version = get_byte(pb);
++ AVStream *st;
++ MOVStreamContext *sc;
++ int version;
++
++ if (c->fc->nb_streams < 1)
++ return 0;
++ st = c->fc->streams[c->fc->nb_streams-1];
++ sc = st->priv_data;
+
++ version = get_byte(pb);
+ get_be24(pb); /* flags */
+ /*
+ MOV_TRACK_ENABLED 0x0001
diff --git a/debian/patches/security/libavformat/oggdec/0001-Disable-parsing-for-ogg-streams-where-no-ogg-header-.patch b/debian/patches/security/libavformat/oggdec/0001-Disable-parsing-for-ogg-streams-where-no-ogg-header-.patch
new file mode 100644
index 0000000..9af7683
--- /dev/null
+++ b/debian/patches/security/libavformat/oggdec/0001-Disable-parsing-for-ogg-streams-where-no-ogg-header-.patch
@@ -0,0 +1,33 @@
+From 7fb2fe280374bcb1c41c2a8e7aa5632d18dc4279 Mon Sep 17 00:00:00 2001
+From: reimar <reimar at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 30 Sep 2009 09:46:48 +0000
+Subject: [PATCH] Disable parsing for ogg streams where no ogg header was found,
+ if no header was found the parser was not initialized and thus will
+ crash when trying to use it.
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@20093 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavformat/oggdec.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+--- a/libavformat/oggdec.c
++++ b/libavformat/oggdec.c
+@@ -486,12 +486,17 @@ static int
+ ogg_read_header (AVFormatContext * s, AVFormatParameters * ap)
+ {
+ ogg_t *ogg = s->priv_data;
++ int i;
+ ogg->curidx = -1;
+ //linear headers seek from start
+ if (ogg_get_headers (s) < 0){
+- return -1;
++ return -1;
+ }
+
++ for (i = 0; i < ogg->nstreams; i++)
++ if (ogg->streams[i].header < 0)
++ ogg->streams[i].codec = NULL;
++
+ //linear granulepos seek from end
+ ogg_get_length (s);
+
diff --git a/debian/patches/security/libavformat/oggparsevorbis/0001-Fix-possible-buffer-over-read-in-vorbis_comment-fix-.patch b/debian/patches/security/libavformat/oggparsevorbis/0001-Fix-possible-buffer-over-read-in-vorbis_comment-fix-.patch
new file mode 100644
index 0000000..4880b50
--- /dev/null
+++ b/debian/patches/security/libavformat/oggparsevorbis/0001-Fix-possible-buffer-over-read-in-vorbis_comment-fix-.patch
@@ -0,0 +1,49 @@
+From fdf622ded070640a924e63a6e630325520d0b567 Mon Sep 17 00:00:00 2001
+From: reimar <reimar at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Thu, 24 Sep 2009 15:37:09 +0000
+Subject: [PATCH] Fix possible buffer over-read in vorbis_comment, fix it double to be sure.
+ First, make s signed, so that comparisons against end - p will not be made as
+ unsigned, making the check incorrectly pass if p is beyond end.
+ Also ensure that p will never be > end, so the code is correct also if
+ buf is not padded.
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@20014 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavformat/oggparsevorbis.c | 9 +++++----
+ 1 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/libavformat/oggparsevorbis.c
++++ b/libavformat/oggparsevorbis.c
+@@ -35,27 +35,28 @@ vorbis_comment(AVFormatContext * as, uin
+ {
+ const uint8_t *p = buf;
+ const uint8_t *end = buf + size;
+- unsigned s, n, j;
++ unsigned n, j;
++ int s;
+
+ if (size < 8) /* must have vendor_length and user_comment_list_length */
+ return -1;
+
+ s = bytestream_get_le32(&p);
+
+- if (end - p < s)
++ if (end - p - 4 < s || s < 0)
+ return -1;
+
+ p += s;
+
+ n = bytestream_get_le32(&p);
+
+- while (p < end && n > 0) {
++ while (end - p >= 4 && n > 0) {
+ const char *t, *v;
+ int tl, vl;
+
+ s = bytestream_get_le32(&p);
+
+- if (end - p < s)
++ if (end - p < s || s < 0)
+ break;
+
+ t = p;
diff --git a/debian/patches/series b/debian/patches/series
index 8eecb39..26682d3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -18,3 +18,43 @@
060_r14281_large_flac_metadata.diff
300_c++_compliant_headers.diff
900_doxyfile
+
+# security patches fetched from upstream
+
+#vorbis_dec security backports
+security/libavcodec/vorbis_dec/0001-Check-dimensions-against-0-too.patch
+security/libavcodec/vorbis_dec/0002-typo.patch
+security/libavcodec/vorbis_dec/0003-Sanity-checks-for-magnitude-and-angle.patch
+security/libavcodec/vorbis_dec/0004-Fix-book_idx-check.patch
+security/libavcodec/vorbis_dec/0005-Check-classbook-value.patch
+security/libavcodec/vorbis_dec/0006-Add-checks-for-per-packet-mode-indexes-and-per-heade.patch
+security/libavcodec/vorbis_dec/0007-Check-masterbook-index-and-subclass-book-index.patch
+security/libavcodec/vorbis_dec/0008-Check-res_setup-books.patch
+security/libavcodec/vorbis_dec/0009-Check-begin-end-partition_size.patch
+security/libavcodec/vorbis_dec/0010-Make-error-return-sign-consistent.patch
+security/libavcodec/vorbis_dec/0011-Check-submap-indexes.patch
+security/libavcodec/vorbis_dec/0012-Fix-format-string-to-match-the-types-printed.patch
+
+# vorbis security backports
+security/libavformat/oggparsevorbis/0001-Fix-possible-buffer-over-read-in-vorbis_comment-fix-.patch
+
+# libavcodec vp3 fixes
+security/libavcodec/vp3/0001-Fix-init_get_bits-buffer-size.patch
+
+# ffv1 fix
+security/libavcodec/ffv1/0001-Fix-a-possibly-exploitable-buffer-overflow.patch
+
+# mpegaudiodec backports
+security/libavcodec/mpegaudiodec/0001-check-data_size-in-decode_frame.patch
+security/libavcodec/mpegaudiodec/0003-Set-data_size-to-0-to-avoid-having-it-uninitialized.patch
+
+# h264 security backports
+security/libavcodec/h264/0001-Check-num_units_in_tick-time_scale-to-be-valid-and-w.patch
+
+# mov security backports
+security/libavformat/mov/0000-MOV-Support-stz2-Compact-Sample-Size-Box.patch
+security/libavformat/mov/0001-check-entries-against-field_size-potential-malloc-ov.patch
+security/libavformat/mov/0002-add-one-missing-check-for-stream-existence-in-read_e.patch
+
+# oggedc backports
+security/libavformat/oggdec/0001-Disable-parsing-for-ogg-streams-where-no-ogg-header-.patch
--
FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list