[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: FFmpeg 2.1 multiple problems
From:       Michael Niedermayer <michaelni () gmx ! at>
Date:       2013-11-28 11:09:48
Message-ID: 20131128110948.GT10262 () nb4
[Download RAW message or body]


On Thu, Nov 28, 2013 at 01:02:52AM -0700, Kurt Seifried wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Ok tracked down who reported most of these, but two are still unknown:

[...]

> https://github.com/FFmpeg/FFmpeg/commit/454a11a1c9c686c78aa97954306fb63453299760
>     avcodec/dsputil: fix signedness in sizeof() comparissions leading
>     to interger overflow and out of array accesses
> Who reported this?

IIRC after i fixed ticket2919, i searched for similar issues in
the codebase and that was what i found.


> 
> 
> 
> 
> https://github.com/FFmpeg/FFmpeg/commit/547d690d676064069d44703a1917e0dab7e33445
>     Fixes out of array (on heap) writes in ffv1 decoding
>     https://trac.ffmpeg.org/ticket/2906 ami_stuff
>     Found-by: ami_stuff
> 
[...]

> https://github.com/FFmpeg/FFmpeg/commit/86736f59d6a527d8bc807d09b93f971c0fe0bb07
>     avcodec/pngdsp: fix (un)signed type in end comparission
>     Fixes out of array writes in png decoding
>     https://trac.ffmpeg.org/ticket/2919 ami_stuff
>     Found_by: ami_stuff
> 

[...]

> https://github.com/FFmpeg/FFmpeg/commit/b05cd1ea7e45a836f7f6071a716c38bb30326e0f
>     ffv1dec: Check bits_per_raw_sample and colorspace for equality in
> ver 0/1 headers
>     prevents inconsistency and out of array write
> Who reported this?

IIRC it probably was the result of code review which was done due to
Ticket 2906

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Rewriting code that is poorly written but fully understood is good.
Rewriting code that one doesnt understand is a sign that one is less smart
then the original author, trying to rewrite it will not make it better.

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]