[libextractor/f12/master] added patch for cve-2010-3429 (not needed for fedora)
ensc
ensc at fedoraproject.org
Sat Oct 9 09:14:50 UTC 2010
commit d0ed9c6d73e028bd560841ebfc3a1a31f77a21db
Author: Enrico Scholz <enrico.scholz at informatik.tu-chemnitz.de>
Date: Sat Oct 9 11:14:35 2010 +0200
added patch for cve-2010-3429 (not needed for fedora)
cve-2010-3429.patch | 108 +++++++++++++++++++++++++++++++++++++++++++++++++++
libextractor.spec | 7 +++
2 files changed, 115 insertions(+), 0 deletions(-)
---
diff --git a/cve-2010-3429.patch b/cve-2010-3429.patch
new file mode 100644
index 0000000..0049adc
--- /dev/null
+++ b/cve-2010-3429.patch
@@ -0,0 +1,108 @@
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Mon, 27 Sep 2010 15:16:16 +0000 (+0000)
+Subject: Fix several security issues in flicvideo.c
+X-Git-Url: http://git.ffmpeg.org/?p=ffmpeg;a=commitdiff_plain;h=16c592155f117ccd7b86006c45aacc692a81c23b
+
+Fix several security issues in flicvideo.c
+This fixes CVE-2010-3429
+
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@25223 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+
+diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c
+index 429ded5..b63d7d4 100644
+--- libextractor-0.5.23/src/plugins/ffmpeg/libavcodec/flicvideo.c
++++ libextractor-0.5.23/src/plugins/ffmpeg/libavcodec/flicvideo.c
+@@ -159,7 +159,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
+ int pixel_skip;
+ int pixel_countdown;
+ unsigned char *pixels;
+- int pixel_limit;
++ unsigned int pixel_limit;
+
+ s->frame.reference = 1;
+ s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
+@@ -253,10 +253,13 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
+ av_log(avctx, AV_LOG_ERROR, "Undefined opcode (%x) in DELTA_FLI\n", line_packets);
+ } else if ((line_packets & 0xC000) == 0x8000) {
+ // "last byte" opcode
+- pixels[y_ptr + s->frame.linesize[0] - 1] = line_packets & 0xff;
++ pixel_ptr= y_ptr + s->frame.linesize[0] - 1;
++ CHECK_PIXEL_PTR(0);
++ pixels[pixel_ptr] = line_packets & 0xff;
+ } else {
+ compressed_lines--;
+ pixel_ptr = y_ptr;
++ CHECK_PIXEL_PTR(0);
+ pixel_countdown = s->avctx->width;
+ for (i = 0; i < line_packets; i++) {
+ /* account for the skip bytes */
+@@ -268,7 +271,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
+ byte_run = -byte_run;
+ palette_idx1 = buf[stream_ptr++];
+ palette_idx2 = buf[stream_ptr++];
+- CHECK_PIXEL_PTR(byte_run);
++ CHECK_PIXEL_PTR(byte_run * 2);
+ for (j = 0; j < byte_run; j++, pixel_countdown -= 2) {
+ pixels[pixel_ptr++] = palette_idx1;
+ pixels[pixel_ptr++] = palette_idx2;
+@@ -298,6 +301,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
+ stream_ptr += 2;
+ while (compressed_lines > 0) {
+ pixel_ptr = y_ptr;
++ CHECK_PIXEL_PTR(0);
+ pixel_countdown = s->avctx->width;
+ line_packets = buf[stream_ptr++];
+ if (line_packets > 0) {
+@@ -453,7 +457,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
+ int pixel_countdown;
+ unsigned char *pixels;
+ int pixel;
+- int pixel_limit;
++ unsigned int pixel_limit;
+
+ s->frame.reference = 1;
+ s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
+@@ -503,6 +507,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
+ } else {
+ compressed_lines--;
+ pixel_ptr = y_ptr;
++ CHECK_PIXEL_PTR(0);
+ pixel_countdown = s->avctx->width;
+ for (i = 0; i < line_packets; i++) {
+ /* account for the skip bytes */
+@@ -514,13 +519,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
+ byte_run = -byte_run;
+ pixel = AV_RL16(&buf[stream_ptr]);
+ stream_ptr += 2;
+- CHECK_PIXEL_PTR(byte_run);
++ CHECK_PIXEL_PTR(2 * byte_run);
+ for (j = 0; j < byte_run; j++, pixel_countdown -= 2) {
+ *((signed short*)(&pixels[pixel_ptr])) = pixel;
+ pixel_ptr += 2;
+ }
+ } else {
+- CHECK_PIXEL_PTR(byte_run);
++ CHECK_PIXEL_PTR(2 * byte_run);
+ for (j = 0; j < byte_run; j++, pixel_countdown--) {
+ *((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]);
+ stream_ptr += 2;
+@@ -611,7 +616,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
+ if (byte_run > 0) {
+ pixel = AV_RL16(&buf[stream_ptr]);
+ stream_ptr += 2;
+- CHECK_PIXEL_PTR(byte_run);
++ CHECK_PIXEL_PTR(2 * byte_run);
+ for (j = 0; j < byte_run; j++) {
+ *((signed short*)(&pixels[pixel_ptr])) = pixel;
+ pixel_ptr += 2;
+@@ -622,7 +627,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
+ }
+ } else { /* copy pixels if byte_run < 0 */
+ byte_run = -byte_run;
+- CHECK_PIXEL_PTR(byte_run);
++ CHECK_PIXEL_PTR(2 * byte_run);
+ for (j = 0; j < byte_run; j++) {
+ *((signed short*)(&pixels[pixel_ptr])) = AV_RL16(&buf[stream_ptr]);
+ stream_ptr += 2;
diff --git a/libextractor.spec b/libextractor.spec
index f3bc76a..cfd732e 100644
--- a/libextractor.spec
+++ b/libextractor.spec
@@ -21,6 +21,7 @@ Source0: http://gnunet.org/libextractor/download/%name-%version.tar.gz
#Source1: http://gnunet.org/libextractor/download/%name-%version.tar.gz.sig
Source10: README.fedora
Patch0: plugindir.patch
+Patch1: cve-2010-3429.patch
BuildRoot: %_tmppath/%name-%version-%release-root
BuildRequires: gettext
@@ -134,6 +135,7 @@ developing applications that use %name.
%prep
%setup -q
%apply -n0 -p1
+%apply -n1 -p1
install -pm644 %SOURCE10 .
rm -f README.debian
@@ -256,6 +258,11 @@ test "$1" != 0 || \
%changelog
+* Wed Sep 29 2010 Enrico Scholz <enrico.scholz at informatik.tu-chemnitz.de>
+- added patch for cve-2010-3429 (ffmpeg: arbitrary offset dereference
+ vulnerability in flic video codec); needed only when built with
+ '--with-mpeg' which is disabled by default in fedora
+
* Sun Nov 22 2009 Enrico Scholz <enrico.scholz at informatik.tu-chemnitz.de> - 0.5.23-1200
- fixed plugin loading by disabling various autodetections (#452504)
More information about the scm-commits
mailing list