The following message is a courtesy copy of an article
that has been posted to gmane.linux.debian.devel.release as well.
Hi,
Please unblock ffmpeg_4:0.5.2-6. It fixes CVE-2010-3429.
thanks!
Diff inline:
Changes at tags/debian/0.5.2-5
Modified debian/changelog
diff --git a/debian/changelog b/debian/changelog
index ee4457a..61ed386 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ffmpeg (4:0.5.2-6) unstable; urgency=high
+
+ * Fix several security issues in flicvideo.c.
+ Fixes: CVE-2010-3429, Closes: #598590
+ * Raising severity to high because of security issue.
+
+ -- Reinhard Tartler <siret...@tauware.de> Sun, 03 Oct 2010 16:59:39 +0200
+
ffmpeg (4:0.5.2-5) unstable; urgency=low
[ Dominic Evans ]
New debian/patches/fix-CVE-2010-3429.patch
diff --git a/debian/patches/fix-CVE-2010-3429.patch
b/debian/patches/fix-CVE-2010-3429.patch
new file mode 100644
index 0000000..8d07a13
--- /dev/null
+++ b/debian/patches/fix-CVE-2010-3429.patch
@@ -0,0 +1,107 @@
+From: michael
+Subject: Fix several security issues in flicvideo.c
+
+This fixes CVE-2010-3429
+
+backport r25223 by michael
+
+--- a/libavcodec/flicvideo.c (revision 25324)
++++ b/libavcodec/flicvideo.c (revision 25325)
+@@ -160,7 +160,7 @@
+ int pixel_skip;
+ int pixel_countdown;
+ unsigned char *pixels;
+- int pixel_limit;
++ unsigned int pixel_limit;
+
+ s->frame.reference = 1;
+ s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE
| FF_BUFFER_HINTS_REUSABLE;
+@@ -254,10 +254,13 @@
+ av_log(avctx, AV_LOG_ERROR, "Undefined opcode (%x) in
DELTA_FLI\n", line_packets);
+ } else if ((line_packets & 0xC000) == 0x8000) {
+ // "last byte" opcode
+- pixels[y_ptr + s->frame.linesize[0] - 1] = line_packets &
0xff;
++ pixel_ptr= y_ptr + s->frame.linesize[0] - 1;
++ CHECK_PIXEL_PTR(0);
++ pixels[pixel_ptr] = line_packets & 0xff;
+ } else {
+ compressed_lines--;
+ pixel_ptr = y_ptr;
++ CHECK_PIXEL_PTR(0);
+ pixel_countdown = s->avctx->width;
+ for (i = 0; i < line_packets; i++) {
+ /* account for the skip bytes */
+@@ -269,7 +272,7 @@
+ byte_run = -byte_run;
+ palette_idx1 = buf[stream_ptr++];
+ palette_idx2 = buf[stream_ptr++];
+- CHECK_PIXEL_PTR(byte_run);
++ CHECK_PIXEL_PTR(byte_run * 2);
+ for (j = 0; j < byte_run; j++, pixel_countdown -=
2) {
+ pixels[pixel_ptr++] = palette_idx1;
+ pixels[pixel_ptr++] = palette_idx2;
+@@ -299,6 +302,7 @@
+ stream_ptr += 2;
+ while (compressed_lines > 0) {
+ pixel_ptr = y_ptr;
++ CHECK_PIXEL_PTR(0);
+ pixel_countdown = s->avctx->width;
+ line_packets = buf[stream_ptr++];
+ if (line_packets > 0) {
+@@ -454,7 +458,7 @@
+ int pixel_countdown;
+ unsigned char *pixels;
+ int pixel;
+- int pixel_limit;
++ unsigned int pixel_limit;
+
+ s->frame.reference = 1;
+ s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE
| FF_BUFFER_HINTS_REUSABLE;
+@@ -504,6 +508,7 @@
+ } else {
+ compressed_lines--;
+ pixel_ptr = y_ptr;
++ CHECK_PIXEL_PTR(0);
+ pixel_countdown = s->avctx->width;
+ for (i = 0; i < line_packets; i++) {
+ /* account for the skip bytes */
+@@ -515,13 +520,13 @@
+ byte_run = -byte_run;
+ pixel = AV_RL16(&buf[stream_ptr]);
+ stream_ptr += 2;
+- CHECK_PIXEL_PTR(byte_run);
++ CHECK_PIXEL_PTR(2 * byte_run);
+ for (j = 0; j < byte_run; j++, pixel_countdown -=
2) {
+ *((signed short*)(&pixels[pixel_ptr])) =
pixel;
+ pixel_ptr += 2;
+ }
+ } else {
+- CHECK_PIXEL_PTR(byte_run);
++ CHECK_PIXEL_PTR(2 * byte_run);
+ for (j = 0; j < byte_run; j++, pixel_countdown--)
{
+ *((signed short*)(&pixels[pixel_ptr])) =
AV_RL16(&buf[stream_ptr]);
+ stream_ptr += 2;
+@@ -612,7 +617,7 @@
+ if (byte_run > 0) {
+ pixel = AV_RL16(&buf[stream_ptr]);
+ stream_ptr += 2;
+- CHECK_PIXEL_PTR(byte_run);
++ CHECK_PIXEL_PTR(2 * byte_run);
+ for (j = 0; j < byte_run; j++) {
+ *((signed short*)(&pixels[pixel_ptr])) = pixel;
+ pixel_ptr += 2;
+@@ -623,7 +628,7 @@
+ }
+ } else { /* copy pixels if byte_run < 0 */
+ byte_run = -byte_run;
+- CHECK_PIXEL_PTR(byte_run);
++ CHECK_PIXEL_PTR(2 * byte_run);
+ for (j = 0; j < byte_run; j++) {
+ *((signed short*)(&pixels[pixel_ptr])) =
AV_RL16(&buf[stream_ptr]);
+ stream_ptr += 2;
+
+Property changes on: .
+___________________________________________________________________
+Modified: svn:mergeinfo
+ Merged /trunk:r25223
+
Modified debian/patches/series
diff --git a/debian/patches/series b/debian/patches/series
index 4c91710..a48cf20 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,6 +4,7 @@ fix-constant-quant-encoding.patch
increase-VOFW-on-x86.patch
use-normal-check_func-test-for-math-functions.patch
fix-x11grab-example.patch
+fix-CVE-2010-3429.patch
900_doxyfile
901-fix-misc-typos.patch
# fpic-ftbfs-fix.patch
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-multimedia-maintainers
