[SCM] FFmpeg packaging branch, ubuntu.karmic, updated. debian/0.5+svn20090706-1ubuntu3-36-g3f9d596

siretart at users.alioth.debian.org siretart at users.alioth.debian.org
Thu Oct 15 07:34:14 UTC 2009 

The following commit has been merged in the ubuntu.karmic branch:
commit 068aa47923722ea6e0560257d51e7b969d65bf40
Author: Reinhard Tartler <siretart at tauware.de>
Date:   Thu Oct 15 00:00:18 2009 +0200

    libavcodec/mpegaudiodec.c backports

diff --git a/debian/patches/security/mpegaudiodec/0001-check-data_size-in-decode_frame.patch b/debian/patches/security/mpegaudiodec/0001-check-data_size-in-decode_frame.patch
new file mode 100644
index 0000000..a2b3c71
--- /dev/null
+++ b/debian/patches/security/mpegaudiodec/0001-check-data_size-in-decode_frame.patch
@@ -0,0 +1,27 @@
+From af59b51d945929694b5533d3d28ea4215e42af67 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 11:29:38 +0000
+Subject: [PATCH 1/3] check data_size in decode_frame()
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19986 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/mpegaudiodec.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
+index 2ba47df..6f451c3 100644
+--- a/libavcodec/mpegaudiodec.c
++++ b/libavcodec/mpegaudiodec.c
+@@ -2276,6 +2276,9 @@ static int decode_frame(AVCodecContext * avctx,
+     avctx->bit_rate = s->bit_rate;
+     avctx->sub_id = s->layer;
+ 
++    if(*data_size < 1152*avctx->channels*sizeof(OUT_INT))
++        return -1;
++
+     if(s->frame_size<=0 || s->frame_size > buf_size){
+         av_log(avctx, AV_LOG_ERROR, "incomplete frame\n");
+         return -1;
+-- 
+1.6.3.3
+
diff --git a/debian/patches/security/mpegaudiodec/0002-Check-data_size-in-decode_frame_mp3on4.patch b/debian/patches/security/mpegaudiodec/0002-Check-data_size-in-decode_frame_mp3on4.patch
new file mode 100644
index 0000000..e955645
--- /dev/null
+++ b/debian/patches/security/mpegaudiodec/0002-Check-data_size-in-decode_frame_mp3on4.patch
@@ -0,0 +1,27 @@
+From f6a0f8074a6ad33ebb90b687c77d33cd552f7005 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 11:33:44 +0000
+Subject: [PATCH 2/3] Check data_size in decode_frame_mp3on4().
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19987 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/mpegaudiodec.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
+index 6f451c3..3003e18 100644
+--- a/libavcodec/mpegaudiodec.c
++++ b/libavcodec/mpegaudiodec.c
+@@ -2466,6 +2466,9 @@ static int decode_frame_mp3on4(AVCodecContext * avctx,
+     OUT_INT *outptr, *bp;
+     int fr, j, n;
+ 
++    if(*data_size < MPA_FRAME_SIZE * MPA_MAX_CHANNELS * s->frames * sizeof(OUT_INT))
++        return -1;
++
+     *data_size = 0;
+     // Discard too short frames
+     if (buf_size < HEADER_SIZE)
+-- 
+1.6.3.3
+
diff --git a/debian/patches/security/mpegaudiodec/0003-Set-data_size-to-0-to-avoid-having-it-uninitialized.patch b/debian/patches/security/mpegaudiodec/0003-Set-data_size-to-0-to-avoid-having-it-uninitialized.patch
new file mode 100644
index 0000000..925c6ee
--- /dev/null
+++ b/debian/patches/security/mpegaudiodec/0003-Set-data_size-to-0-to-avoid-having-it-uninitialized.patch
@@ -0,0 +1,26 @@
+From 7565e59ef9effe28962d7103f78c2d25e76524e0 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 11:44:30 +0000
+Subject: [PATCH 3/3] Set data_size to 0 to avoid having it uninitialized.
+ based on 31_mp3_outlen.patch by chrome.
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19988 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/mpegaudiodec.c |    1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
+index 3003e18..dd986bd 100644
+--- a/libavcodec/mpegaudiodec.c
++++ b/libavcodec/mpegaudiodec.c
+@@ -2278,6 +2278,7 @@ static int decode_frame(AVCodecContext * avctx,
+ 
+     if(*data_size < 1152*avctx->channels*sizeof(OUT_INT))
+         return -1;
++    *data_size = 0;
+ 
+     if(s->frame_size<=0 || s->frame_size > buf_size){
+         av_log(avctx, AV_LOG_ERROR, "incomplete frame\n");
+-- 
+1.6.3.3
+
diff --git a/debian/patches/series b/debian/patches/series
index 0c67a73..45f8527 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -57,3 +57,8 @@ security/vp3/0001-Fix-init_get_bits-buffer-size.patch
 
 # ffv1 fix
 security/ffv1/0001-Fix-a-possibly-exploitable-buffer-overflow.patch
+
+# mpegaudiodec backports
+security/mpegaudiodec/0001-check-data_size-in-decode_frame.patch
+security/mpegaudiodec/0002-Check-data_size-in-decode_frame_mp3on4.patch
+security/mpegaudiodec/0003-Set-data_size-to-0-to-avoid-having-it-uninitialized.patch

-- 
FFmpeg packaging

More information about the pkg-multimedia-commits mailing list