diff options
| author |   Alexis Ballier <aballier@gentoo.org> | 2008-07-17 07:53:58 +0000 |
|---|---|---|
| committer | Alexis Ballier <aballier@gentoo.org> | 2008-07-17 07:53:58 +0000 |
| commit | 616279a63208d767b1805b86361495929018fa6a (patch) | |
| tree | 68bf79ad4b7095484a3fd50d5e14b192bcbd6dbe /media-video/ffmpeg/files | |
| parent | Fix up SRC_URI, upstream calls gnu-classpath by just classpath (diff) | |
| download | historical-616279a63208d767b1805b86361495929018fa6a.tar.gz historical-616279a63208d767b1805b86361495929018fa6a.tar.bz2 historical-616279a63208d767b1805b86361495929018fa6a.zip | |
Add patches for security bug #231831. -r3 is -r0 with the patch, stable candidate without swscaler. -r20 is -r2 with the patch, with swscaler.
Package-Manager: portage-2.2_rc1/cvs/Linux 2.6.25.7 x86_64
Diffstat (limited to 'media-video/ffmpeg/files')
| -rw-r--r-- | media-video/ffmpeg/files/CVE-2008-3162.patch | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/media-video/ffmpeg/files/CVE-2008-3162.patch b/media-video/ffmpeg/files/CVE-2008-3162.patch new file mode 100644 index 000000000000..032a3e7016b3 --- /dev/null +++ b/media-video/ffmpeg/files/CVE-2008-3162.patch @@ -0,0 +1,63 @@ +CVE-2008-3162: +Stack-based buffer overflow in the str_read_packet function in libavformat/psxstr.c +in FFmpeg before r13993 allows remote attackers to cause a denial of service +(application crash) or execute arbitrary code via a crafted STR file that interleaves +audio and video sectors. + +Patch from +http://svn.mplayerhq.hu/ffmpeg?view=rev&revision=13993 + +Index: ffmpeg/libavformat/psxstr.c +=================================================================== +--- ffmpeg.orig/libavformat/psxstr.c ++++ ffmpeg/libavformat/psxstr.c +@@ -276,12 +276,23 @@ static int str_read_packet(AVFormatConte + int current_sector = AV_RL16(§or[0x1C]); + int sector_count = AV_RL16(§or[0x1E]); + int frame_size = AV_RL32(§or[0x24]); +- int bytes_to_copy; ++ ++ if(!( frame_size>=0 ++ && current_sector < sector_count ++ && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){ ++ av_log(s, AV_LOG_ERROR, "Invalid parameters %d %d %d\n", current_sector, sector_count, frame_size); ++ return AVERROR_INVALIDDATA; ++ } ++ + // printf("%d %d %d\n",current_sector,sector_count,frame_size); + /* if this is the first sector of the frame, allocate a pkt */ + pkt = &str->tmp_pkt; +- if (current_sector == 0) { +- if (av_new_packet(pkt, frame_size)) ++ ++ if(pkt->size != sector_count*VIDEO_DATA_CHUNK_SIZE){ ++ if(pkt->data) ++ av_log(s, AV_LOG_ERROR, "missmatching sector_count\n"); ++ av_free_packet(pkt); ++ if (av_new_packet(pkt, sector_count*VIDEO_DATA_CHUNK_SIZE)) + return AVERROR_IO; + + pkt->pos= url_ftell(pb) - RAW_CD_SECTOR_SIZE; +@@ -295,15 +306,15 @@ static int str_read_packet(AVFormatConte + str->pts += (90000 / 15); + } + +- /* load all the constituent chunks in the video packet */ +- bytes_to_copy = frame_size - current_sector*VIDEO_DATA_CHUNK_SIZE; +- if (bytes_to_copy>0) { +- if (bytes_to_copy>VIDEO_DATA_CHUNK_SIZE) bytes_to_copy=VIDEO_DATA_CHUNK_SIZE; +- memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE, +- sector + VIDEO_DATA_HEADER_SIZE, bytes_to_copy); +- } ++ memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE, ++ sector + VIDEO_DATA_HEADER_SIZE, ++ VIDEO_DATA_CHUNK_SIZE); ++ + if (current_sector == sector_count-1) { ++ pkt->size= frame_size; + *ret_pkt = *pkt; ++ pkt->data= NULL; ++ pkt->size= -1; + return 0; + } + |