[SCM] ffmpeg/ubuntu.extra: Add flic video patch. Fixes CVE-2010-3429
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Wed Oct 6 13:19:33 UTC 2010
The following commit has been merged in the ubuntu.extra branch:
commit 55ebda6227d2061723363b05e16835121458baf6
Author: Reinhard Tartler <siretart at tauware.de>
Date: Tue Oct 5 21:12:32 2010 +0200
Add flic video patch. Fixes CVE-2010-3429
diff --git a/debian/patches/fix-CVE-2010-3429.patch b/debian/patches/fix-CVE-2010-3429.patch
new file mode 100644
index 0000000..7e6b864
--- /dev/null
+++ b/debian/patches/fix-CVE-2010-3429.patch
@@ -0,0 +1,101 @@
+From: michael
+Subject: Fix several security issues in flicvideo.c
+
+This fixes CVE-2010-3429
+
+backport r25223 by michael
+
+--- a/libavcodec/flicvideo.c
++++ b/libavcodec/flicvideo.c
+@@ -159,7 +159,7 @@ static int flic_decode_frame_8BPP(AVCode
+ int pixel_skip;
+ int pixel_countdown;
+ unsigned char *pixels;
+- int pixel_limit;
++ unsigned int pixel_limit;
+
+ s->frame.reference = 1;
+ s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
+@@ -253,10 +253,13 @@ static int flic_decode_frame_8BPP(AVCode
+ av_log(avctx, AV_LOG_ERROR, "Undefined opcode (%x) in DELTA_FLI\n", line_packets);
+ } else if ((line_packets & 0xC000) == 0x8000) {
+ // "last byte" opcode
+- pixels[y_ptr + s->frame.linesize[0] - 1] = line_packets & 0xff;
++ pixel_ptr= y_ptr + s->frame.linesize[0] - 1;
++ CHECK_PIXEL_PTR(0);
++ pixels[pixel_ptr] = line_packets & 0xff;
+ } else {
+ compressed_lines--;
+ pixel_ptr = y_ptr;
++ CHECK_PIXEL_PTR(0);
+ pixel_countdown = s->avctx->width;
+ for (i = 0; i < line_packets; i++) {
+ /* account for the skip bytes */
+@@ -268,7 +271,7 @@ static int flic_decode_frame_8BPP(AVCode
+ byte_run = -byte_run;
+ palette_idx1 = buf[stream_ptr++];
+ palette_idx2 = buf[stream_ptr++];
+- CHECK_PIXEL_PTR(byte_run);
++ CHECK_PIXEL_PTR(byte_run * 2);
+ for (j = 0; j < byte_run; j++, pixel_countdown -= 2) {
+ pixels[pixel_ptr++] = palette_idx1;
+ pixels[pixel_ptr++] = palette_idx2;
+@@ -298,6 +301,7 @@ static int flic_decode_frame_8BPP(AVCode
+ stream_ptr += 2;
+ while (compressed_lines > 0) {
+ pixel_ptr = y_ptr;
++ CHECK_PIXEL_PTR(0);
+ pixel_countdown = s->avctx->width;
+ line_packets = buf[stream_ptr++];
+ if (line_packets > 0) {
+@@ -453,7 +457,7 @@ static int flic_decode_frame_15_16BPP(AV
+ int pixel_countdown;
+ unsigned char *pixels;
+ int pixel;
+- int pixel_limit;
++ unsigned int pixel_limit;
+
+ s->frame.reference = 1;
+ s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
+@@ -503,6 +507,7 @@ static int flic_decode_frame_15_16BPP(AV
+ } else {
+ compressed_lines--;
+ pixel_ptr = y_ptr;
++ CHECK_PIXEL_PTR(0);
+ pixel_countdown = s->avctx->width;
+ for (i = 0; i < line_packets; i++) {
+ /* account for the skip bytes */
+@@ -514,13 +519,13 @@ static int flic_decode_frame_15_16BPP(AV
+ byte_run = -byte_run;
+ pixel = AV_RL16(&buf[stream_ptr]);
+ stream_ptr += 2;
+- CHECK_PIXEL_PTR(byte_run);
++ CHECK_PIXEL_PTR(2 * byte_run);
+ for (j = 0; j < byte_run; j++, pixel_countdown -= 2) {
+ *((signed short*)(&pixels[pixel_ptr])) = pixel;
+ pixel_ptr += 2;
+ }
+ } else {
+- CHECK_PIXEL_PTR(byte_run);
++ CHECK_PIXEL_PTR(2 * byte_run);
+ for (j = 0; j < byte_run; j++, pixel_countdown--) {
+ *((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]);
+ stream_ptr += 2;
+@@ -611,7 +616,7 @@ static int flic_decode_frame_15_16BPP(AV
+ if (byte_run > 0) {
+ pixel = AV_RL16(&buf[stream_ptr]);
+ stream_ptr += 2;
+- CHECK_PIXEL_PTR(byte_run);
++ CHECK_PIXEL_PTR(2 * byte_run);
+ for (j = 0; j < byte_run; j++) {
+ *((signed short*)(&pixels[pixel_ptr])) = pixel;
+ pixel_ptr += 2;
+@@ -622,7 +627,7 @@ static int flic_decode_frame_15_16BPP(AV
+ }
+ } else { /* copy pixels if byte_run < 0 */
+ byte_run = -byte_run;
+- CHECK_PIXEL_PTR(byte_run);
++ CHECK_PIXEL_PTR(2 * byte_run);
+ for (j = 0; j < byte_run; j++) {
+ *((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]);
+ stream_ptr += 2;
diff --git a/debian/patches/series b/debian/patches/series
index 4db8bde..fca1d65 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
0001-Add-VP80-fourcc.patch
0002-Tweak-doxygen-config.patch
0003-Backport-AAC-HE-v2.patch
+fix-CVE-2010-3429.patch
--
FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list