From bde4b660637c9f08eef51697c54417037a9eeb2f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2012 22:20:26 +0100 Subject: [PATCH 01/12] nsvdec: Fix use of uninitialized streams. Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write) Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b) Signed-off-by: Alex Converse (cherry picked from commit 6a89b41d9780325ba6d89a37f2aeb925aa68e6a3) Signed-off-by: Reinhard Tartler (cherry picked from commit 65beb8c1173906b0541442713cb29e8ba44c47ef) Signed-off-by: Reinhard Tartler (cherry picked from commit 1edf848a81464afd514afbbbcb97b471d334e14a) Signed-off-by: Reinhard Tartler --- libavformat/nsvdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 719337c898..d592617a87 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -586,12 +586,12 @@ null_chunk_retry: } /* map back streams to v,a */ - if (s->streams[0]) + if (s->nb_streams > 0) st[s->streams[0]->id] = s->streams[0]; - if (s->streams[1]) + if (s->nb_streams > 1) st[s->streams[1]->id] = s->streams[1]; - if (vsize/* && st[NSV_ST_VIDEO]*/) { + if (vsize && st[NSV_ST_VIDEO]) { nst = st[NSV_ST_VIDEO]->priv_data; pkt = &nsv->ahead[NSV_ST_VIDEO]; av_get_packet(pb, pkt, vsize); @@ -606,7 +606,7 @@ null_chunk_retry: if(st[NSV_ST_VIDEO]) ((NSVStream*)st[NSV_ST_VIDEO]->priv_data)->frame_offset++; - if (asize/*st[NSV_ST_AUDIO]*/) { + if (asize && st[NSV_ST_AUDIO]) { nst = st[NSV_ST_AUDIO]->priv_data; pkt = &nsv->ahead[NSV_ST_AUDIO]; /* read raw audio specific header on the first audio chunk... */ From 056c909d9df7704c8e5bbaab9fdab5e7bc969e0b Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 26 Jan 2012 17:21:46 -0800 Subject: [PATCH 02/12] nsvdec: Be more careful with av_malloc(). Check results for av_malloc() and fix an overflow in one call. Related to CVE-2011-3940. Based in part on work from Michael Niedermayer. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 8fd8a48263ff1437f9d02d7e78dc63efb9b5ed3a) Signed-off-by: Reinhard Tartler (cherry picked from commit be524c186b50337db64d34a5726dfe3e8ea94f09) Signed-off-by: Reinhard Tartler (cherry picked from commit 87007519c81c37d8a3de424de3db14078ae84333) Conflicts: libavformat/nsvdec.c --- libavformat/nsvdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index d592617a87..9e5f38d426 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -317,7 +317,9 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap) char *token, *value; char quote; - p = strings = av_mallocz(strings_size + 1); + p = strings = av_mallocz((size_t)strings_size + 1); + if (!p) + return AVERROR(ENOMEM); endp = strings + strings_size; get_buffer(pb, strings, strings_size); while (p < endp) { @@ -351,6 +353,8 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap) if((unsigned)table_entries >= UINT_MAX / sizeof(uint32_t)) return -1; nsv->nsvf_index_data = av_malloc(table_entries * sizeof(uint32_t)); + if (!nsv->nsvf_index_data) + return AVERROR(ENOMEM); #warning "FIXME: Byteswap buffer as needed" get_buffer(pb, (unsigned char *)nsv->nsvf_index_data, table_entries * sizeof(uint32_t)); } From ec4979e16e119e9ccb42b111008e74b9bc667428 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 26 Jan 2012 17:23:09 -0800 Subject: [PATCH 03/12] nsvdec: Propagate errors Related to CVE-2011-3940. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit c898431ca5ef2a997fe9388b650f658fb60783e5) Conflicts: libavformat/nsvdec.c Signed-off-by: Reinhard Tartler (cherry picked from commit 0100c4b1b0736e0f5b3c98f9b0ab8acbef574888) Signed-off-by: Reinhard Tartler (cherry picked from commit 3253dd2b420583a7f10afa87e47b9cb73e950e2a) Signed-off-by: Reinhard Tartler --- libavformat/nsvdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 9e5f38d426..25b3d6c4ae 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -511,11 +511,16 @@ static int nsv_read_header(AVFormatContext *s, AVFormatParameters *ap) for (i = 0; i < NSV_MAX_RESYNC_TRIES; i++) { if (nsv_resync(s) < 0) return -1; - if (nsv->state == NSV_FOUND_NSVF) + if (nsv->state == NSV_FOUND_NSVF) { err = nsv_parse_NSVf_header(s, ap); + if (err < 0) + return err; + } /* we need the first NSVs also... */ if (nsv->state == NSV_FOUND_NSVS) { err = nsv_parse_NSVs_header(s, ap); + if (err < 0) + return err; break; /* we just want the first one */ } } From 479869c499a28a0c19dfc355d6ffcd1d8c02720e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2012 17:48:23 +0100 Subject: [PATCH 04/12] dv: check stype dv: check stype Fixes part1 of CVE-2011-3929 Possibly fixes part of CVE-2011-3936 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Roman Shaposhnik Signed-off-by: Michael Niedermayer Signed-off-by: Alex Converse (cherry picked from commit 635bcfccd439480003b74a665b5aa7c872c1ad6b) Signed-off-by: Reinhard Tartler (cherry picked from commit bb737d381f6d6413899a0697f426fb082eac66fc) Signed-off-by: Reinhard Tartler (cherry picked from commit 38421f27b3899a930552750fe1e0dffd45b71b8e) Signed-off-by: Reinhard Tartler --- libavformat/dv.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/dv.c b/libavformat/dv.c index 820c3b5cec..c650b5b52e 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -202,6 +202,12 @@ static int dv_extract_audio_info(DVDemuxContext* c, uint8_t* frame) stype = (as_pack[3] & 0x1f); /* 0 - 2CH, 2 - 4CH, 3 - 8CH */ quant = as_pack[4] & 0x07; /* 0 - 16bit linear, 1 - 12bit nonlinear */ + if (stype > 3) { + av_log(c->fctx, AV_LOG_ERROR, "stype %d is invalid\n", stype); + c->ach = 0; + return 0; + } + /* note: ach counts PAIRS of channels (i.e. stereo channels) */ ach = ((int[4]){ 1, 0, 2, 4})[stype]; if (ach == 1 && quant && freq == 2) From c4e8c99507b0b4ad384bea061afb6025ca868174 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2012 17:51:40 +0100 Subject: [PATCH 05/12] dv: Fix null pointer dereference due to ach=0 dv: Fix null pointer dereference due to ach=0 Fixes part2 of CVE-2011-3929 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Roman Shaposhnik Signed-off-by: Michael Niedermayer Signed-off-by: Alex Converse (cherry picked from commit 5a396bb3a66a61a68b80f2369d0249729bf85e04) Signed-off-by: Reinhard Tartler (cherry picked from commit 44e182d41e3a73548f3f5e8445ec428d3846e6d6) Signed-off-by: Reinhard Tartler (cherry picked from commit b46141b0d1d7efb74dad172b7c1b52413441592f) Conflicts: libavformat/dv.c --- libavformat/dv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/dv.c b/libavformat/dv.c index c650b5b52e..54ed81854f 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -341,7 +341,8 @@ int dv_produce_packet(DVDemuxContext *c, AVPacket *pkt, c->audio_pkt[i].pts = c->abytes * 30000*8 / c->ast[i]->codec->bit_rate; ppcm[i] = c->audio_buf[i]; } - dv_extract_audio(buf, ppcm, c->sys); + if (c->ach) + dv_extract_audio(buf, ppcm, c->sys); c->abytes += size; /* We work with 720p frames split in half, thus even frames have From 5a92aa378d066369c6d9a82192c274ae4b8997f0 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 26 Jan 2012 15:08:26 -0800 Subject: [PATCH 06/12] dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936. Found with asan. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Alex Converse (cherry picked from commit 2d1c0dea5f6b91bec7f5fa53ec050913d851e366) Signed-off-by: Reinhard Tartler (cherry picked from commit 00fa6ffe1a0b252d6a81815e51f125225cd0b97a) Signed-off-by: Reinhard Tartler (cherry picked from commit a8f4db0acd9b588ba33e3b8c0c21feea5916cfd1) Signed-off-by: Reinhard Tartler --- libavformat/dv.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/libavformat/dv.c b/libavformat/dv.c index 54ed81854f..256dcd4312 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -125,10 +125,14 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4], /* We work with 720p frames split in half, thus even frames have * channels 0,1 and odd 2,3. */ ipcm = (sys->height == 720 && !(frame[1] & 0x0C)) ? 2 : 0; - pcm = ppcm[ipcm++]; /* for each DIF channel */ for (chan = 0; chan < sys->n_difchan; chan++) { + /* next stereo channel (50Mbps and 100Mbps only) */ + pcm = ppcm[ipcm++]; + if (!pcm) + break; + /* for each DIF segment */ for (i = 0; i < sys->difseg_size; i++) { frame += 6 * 80; /* skip DIF segment header */ @@ -176,11 +180,6 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4], frame += 16 * 80; /* 15 Video DIFs + 1 Audio DIF */ } } - - /* next stereo channel (50Mbps and 100Mbps only) */ - pcm = ppcm[ipcm++]; - if (!pcm) - break; } return size; From 8bb3ba55417f6bd95a6085270d9b61e39ee94645 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Dec 2011 03:18:58 +0100 Subject: [PATCH 07/12] atrac3: Fix crash in tonal component decoding. Add a check to avoid writing past the end of the channel_unit.components[] array. Bug Found by: cosminamironesei Fixes CVE-2012-0853 CC: libav-stable@libav.org Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit c509f4f74713b035a06f79cb4d00e708f5226bc5) Signed-off-by: Reinhard Tartler (cherry picked from commit f43b6e2b1ed47a1254a5d44c700a7fad5e9784be) Signed-off-by: Reinhard Tartler (cherry picked from commit f728ad26f0ec87650d2986a892785c0e2b97d161) Signed-off-by: Reinhard Tartler (cherry picked from commit 224025d852dcc42f752c0922fef7121808d1e42f) Signed-off-by: Reinhard Tartler --- libavcodec/atrac3.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index 81d25ec204..9205f35314 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -454,6 +454,8 @@ static int decodeTonalComponents (GetBitContext *gb, tonal_component *pComponent for (k=0; k= 64) + return AVERROR_INVALIDDATA; pComponent[component_count].pos = j * 64 + (get_bits(gb,6)); max_coded_values = 1024 - pComponent[component_count].pos; coded_values = coded_values_per_component + 1; From b2ac7e585e53ef6c99eef09f1b6fce373fb05125 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 25 Jan 2012 13:39:24 -0800 Subject: [PATCH 08/12] mjpegbdec: Fix overflow in SOS. Based in part by a fix from Michael Niedermayer Fixes CVE-2011-3947 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit b57d262412204e54a7ef8fa1b23ff4dcede622e5) Signed-off-by: Reinhard Tartler (cherry picked from commit 083a8a00373b12dc06b8ae4c49eec61fb5e55f4b) Signed-off-by: Reinhard Tartler (cherry picked from commit 6ae95a0b93e8df15fe5f364535a7214be0817736) Signed-off-by: Reinhard Tartler (cherry picked from commit 6ca010f20965ef71d97a53e871edae2eb9c05a5f) Signed-off-by: Reinhard Tartler --- libavcodec/mjpegbdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c index 62b29e0623..f19a87ff96 100644 --- a/libavcodec/mjpegbdec.c +++ b/libavcodec/mjpegbdec.c @@ -49,6 +49,9 @@ read_header: s->restart_count = 0; s->mjpb_skiptosod = 0; + if (buf_end - buf_ptr >= 1 << 28) + return AVERROR_INVALIDDATA; + init_get_bits(&hgb, buf_ptr, /*buf_size*/(buf_end - buf_ptr)*8); skip_bits(&hgb, 32); /* reserved zeros */ @@ -99,8 +102,8 @@ read_header: av_log(avctx, AV_LOG_DEBUG, "sod offs: 0x%x\n", sod_offs); if (sos_offs) { -// init_get_bits(&s->gb, buf+sos_offs, (buf_end - (buf+sos_offs))*8); - init_get_bits(&s->gb, buf_ptr+sos_offs, field_size*8); + init_get_bits(&s->gb, buf_ptr + sos_offs, + 8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs)); s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16)); s->start_code = SOS; ff_mjpeg_decode_sos(s); From 6c9b404dba6f29e44ff9ce385c84759e73082cd2 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 2 May 2012 12:08:03 -0700 Subject: [PATCH 09/12] motionpixels: Clip YUV values after applying a gradient. Prevents illegal reads on truncated and malformed input. CC: libav-stable@libav.org (cherry picked from commit b5da848facd41169283d7bfe568b83bdfa7fc42e) Signed-off-by: Reinhard Tartler (cherry picked from commit aaa6a666774eb02c351c84e80622a5c69e9b642e) Signed-off-by: Reinhard Tartler (cherry picked from commit 50073e2395522b6e2b8698ff0dd06ffaf8cbf8ce) Signed-off-by: Reinhard Tartler (cherry picked from commit 2134e7f6e88959513ba1713ad6fd7a7c8d5a0f41) Signed-off-by: Reinhard Tartler --- libavcodec/motionpixels.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index f69dcf95fe..349a02d0b1 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -239,10 +239,13 @@ static void mp_decode_line(MotionPixelsContext *mp, GetBitContext *gb, int y) p = mp_get_yuv_from_rgb(mp, x - 1, y); } else { p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb)); + p.y = av_clip(p.y, 0, 31); if ((x & 3) == 0) { if ((y & 3) == 0) { p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb)); + p.v = av_clip(p.v, -32, 31); p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb)); + p.u = av_clip(p.u, -32, 31); mp->hpt[((y / 4) * mp->avctx->width + x) / 4] = p; } else { p.v = mp->hpt[((y / 4) * mp->avctx->width + x) / 4].v; @@ -266,9 +269,12 @@ static void mp_decode_frame_helper(MotionPixelsContext *mp, GetBitContext *gb) p = mp_get_yuv_from_rgb(mp, 0, y); } else { p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb)); + p.y = av_clip(p.y, 0, 31); if ((y & 3) == 0) { p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb)); + p.v = av_clip(p.v, -32, 31); p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb)); + p.u = av_clip(p.u, -32, 31); } mp->vpt[y] = p; mp_set_rgb_from_yuv(mp, 0, y, &p); From 468cc41d6d7bba97f67e9a6c8386ca98cde41190 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Mon, 23 Apr 2012 13:16:33 +0100 Subject: [PATCH 10/12] vqavideo: return error if image size is not a multiple of block size The decoder assumes in various places that the image size is a multiple of the block size, and there is no obvious way to support odd sizes. Bailing out early if the header specifies a bad size avoids various errors later on. Fixes CVE-2012-0947. Signed-off-by: Mans Rullgard (cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3) Signed-off-by: Reinhard Tartler (cherry picked from commit d5207e2af81580dd5e6277b354c8b459c3624f26) Signed-off-by: Reinhard Tartler (cherry picked from commit c71c77e56fcc6d469d45e1c8ce04aa053124d3f8) Signed-off-by: Reinhard Tartler (cherry picked from commit c90da45d5a7a4045dbf22fba52c63ef55d207269) Signed-off-by: Reinhard Tartler --- libavcodec/vqavideo.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 00df736d3b..f34a63173b 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -163,6 +163,12 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) return -1; } + if (s->width & (s->vector_width - 1) || + s->height & (s->vector_height - 1)) { + av_log(avctx, AV_LOG_ERROR, "Image size not multiple of block size\n"); + return AVERROR_INVALIDDATA; + } + /* allocate codebooks */ s->codebook_size = MAX_CODEBOOK_SIZE; s->codebook = av_malloc(s->codebook_size); From 79fbcd9f0342823414793bdf09adafd7dd0872eb Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 10 May 2012 20:15:51 +0200 Subject: [PATCH 11/12] Release notes and changelog for 0.5.7 --- Changelog | 14 ++++++++++++++ RELEASE | 16 ++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/Changelog b/Changelog index 89903eb1ad..c5c5d31d49 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,20 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.5.8: + +- id3v2: fix skipping extended header in id3v2.4 +- nsvdec: Several bugfixes related to CVE-2011-3940 +- dv: check stype +- dv: Fix null pointer dereference due to ach=0 +- dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936. +- atrac3: Fix crash in tonal component decoding, fixes CVE-2012-0853 +- mjpegbdec: Fix overflow in SOS, fixes CVE-2011-3947 +- motionpixels: Clip YUV values after applying a gradient. +- vqavideo: return error if image size is not a multiple of block size, + fixes CVE-2012-0947. + + version 0.5.7: - vorbis: An additional defense in the Vorbis codec. (CVE-2011-3895) - vorbisdec: Fix decoding bug with channel handling. diff --git a/RELEASE b/RELEASE index e68779b5b2..7c0086c16e 100644 --- a/RELEASE +++ b/RELEASE @@ -187,3 +187,19 @@ demuxer (CVE-2011-3893 and CVE-2011-3895). Distributors and system integrators are encouraged to update and share their patches against this branch. For a full list of changes please see the Changelog file. + +* 0.5.8 May 10, 2012 + +General notes +------------- + +This maintenance-only release that addresses a number a number of +security issues that have been brought to our attention. Among other +(rather minor) fixes, this release features fixes for the DV decoder +(CVE-2011-3929 and CVE-2011-3936), nsvdec (CVE-2011-3940), Atrac3 +(CVE-2012-0853), mjpegdec (CVE-2011-3947) and the VQA video decoder +(CVE-2012-0947). + +Distributors and system integrators are encouraged +to update and share their patches against this branch. For a full list +of changes please see the Changelog file. From 4b2e02a4c4a618ac6d03fd38eb7ab0bc09596667 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 10 May 2012 20:21:51 +0200 Subject: [PATCH 12/12] Bump version number for 0.5.8 release. --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index d3532a107e..659914ae94 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.5.7 +0.5.8