[SCM] ffmpeg/master: Fix several security issues in flicvideo.c
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Sun Oct 3 15:02:43 UTC 2010
The following commit has been merged in the master branch:
commit 7167e816236a0df01d671cdf0dd89cd7d8ba33e6
Author: Reinhard Tartler <siretart at tauware.de>
Date: Sun Oct 3 16:59:09 2010 +0200
Fix several security issues in flicvideo.c
This fixes CVE-2010-3429
diff --git a/debian/patches/fix-CVE-2010-3429.patch b/debian/patches/fix-CVE-2010-3429.patch
new file mode 100644
index 0000000..8d07a13
--- /dev/null
+++ b/debian/patches/fix-CVE-2010-3429.patch
@@ -0,0 +1,107 @@
+From: michael
+Subject: Fix several security issues in flicvideo.c
+
+This fixes CVE-2010-3429
+
+backport r25223 by michael
+
+--- a/libavcodec/flicvideo.c (revision 25324)
++++ b/libavcodec/flicvideo.c (revision 25325)
+@@ -160,7 +160,7 @@
+ int pixel_skip;
+ int pixel_countdown;
+ unsigned char *pixels;
+- int pixel_limit;
++ unsigned int pixel_limit;
+
+ s->frame.reference = 1;
+ s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
+@@ -254,10 +254,13 @@
+ av_log(avctx, AV_LOG_ERROR, "Undefined opcode (%x) in DELTA_FLI\n", line_packets);
+ } else if ((line_packets & 0xC000) == 0x8000) {
+ // "last byte" opcode
+- pixels[y_ptr + s->frame.linesize[0] - 1] = line_packets & 0xff;
++ pixel_ptr= y_ptr + s->frame.linesize[0] - 1;
++ CHECK_PIXEL_PTR(0);
++ pixels[pixel_ptr] = line_packets & 0xff;
+ } else {
+ compressed_lines--;
+ pixel_ptr = y_ptr;
++ CHECK_PIXEL_PTR(0);
+ pixel_countdown = s->avctx->width;
+ for (i = 0; i < line_packets; i++) {
+ /* account for the skip bytes */
+@@ -269,7 +272,7 @@
+ byte_run = -byte_run;
+ palette_idx1 = buf[stream_ptr++];
+ palette_idx2 = buf[stream_ptr++];
+- CHECK_PIXEL_PTR(byte_run);
++ CHECK_PIXEL_PTR(byte_run * 2);
+ for (j = 0; j < byte_run; j++, pixel_countdown -= 2) {
+ pixels[pixel_ptr++] = palette_idx1;
+ pixels[pixel_ptr++] = palette_idx2;
+@@ -299,6 +302,7 @@
+ stream_ptr += 2;
+ while (compressed_lines > 0) {
+ pixel_ptr = y_ptr;
++ CHECK_PIXEL_PTR(0);
+ pixel_countdown = s->avctx->width;
+ line_packets = buf[stream_ptr++];
+ if (line_packets > 0) {
+@@ -454,7 +458,7 @@
+ int pixel_countdown;
+ unsigned char *pixels;
+ int pixel;
+- int pixel_limit;
++ unsigned int pixel_limit;
+
+ s->frame.reference = 1;
+ s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
+@@ -504,6 +508,7 @@
+ } else {
+ compressed_lines--;
+ pixel_ptr = y_ptr;
++ CHECK_PIXEL_PTR(0);
+ pixel_countdown = s->avctx->width;
+ for (i = 0; i < line_packets; i++) {
+ /* account for the skip bytes */
+@@ -515,13 +520,13 @@
+ byte_run = -byte_run;
+ pixel = AV_RL16(&buf[stream_ptr]);
+ stream_ptr += 2;
+- CHECK_PIXEL_PTR(byte_run);
++ CHECK_PIXEL_PTR(2 * byte_run);
+ for (j = 0; j < byte_run; j++, pixel_countdown -= 2) {
+ *((signed short*)(&pixels[pixel_ptr])) = pixel;
+ pixel_ptr += 2;
+ }
+ } else {
+- CHECK_PIXEL_PTR(byte_run);
++ CHECK_PIXEL_PTR(2 * byte_run);
+ for (j = 0; j < byte_run; j++, pixel_countdown--) {
+ *((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]);
+ stream_ptr += 2;
+@@ -612,7 +617,7 @@
+ if (byte_run > 0) {
+ pixel = AV_RL16(&buf[stream_ptr]);
+ stream_ptr += 2;
+- CHECK_PIXEL_PTR(byte_run);
++ CHECK_PIXEL_PTR(2 * byte_run);
+ for (j = 0; j < byte_run; j++) {
+ *((signed short*)(&pixels[pixel_ptr])) = pixel;
+ pixel_ptr += 2;
+@@ -623,7 +628,7 @@
+ }
+ } else { /* copy pixels if byte_run < 0 */
+ byte_run = -byte_run;
+- CHECK_PIXEL_PTR(byte_run);
++ CHECK_PIXEL_PTR(2 * byte_run);
+ for (j = 0; j < byte_run; j++) {
+ *((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]);
+ stream_ptr += 2;
+
+Property changes on: .
+___________________________________________________________________
+Modified: svn:mergeinfo
+ Merged /trunk:r25223
+
diff --git a/debian/patches/series b/debian/patches/series
index 4c91710..a48cf20 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,6 +4,7 @@ fix-constant-quant-encoding.patch
increase-VOFW-on-x86.patch
use-normal-check_func-test-for-math-functions.patch
fix-x11grab-example.patch
+fix-CVE-2010-3429.patch
900_doxyfile
901-fix-misc-typos.patch
# fpic-ftbfs-fix.patch
--
FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list