|
Message-ID: <20120105181859.GJ11144@kiste2>
Date: Thu, 5 Jan 2012 19:18:59 +0100
From: Michael Niedermayer <michaelni@....at>
To: Kurt Seifried <kseifrie@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE Requests for FFmpeg 0.9.1
On Thu, Jan 05, 2012 at 10:36:41AM -0700, Kurt Seifried wrote:
> On 01/05/2012 10:05 AM, Michael Niedermayer wrote:
> > Hi
> >
> > Id like to request some CVE #s for ffmpeg 0.9.1.
> > to lookup the git hashes see:
> > http://source.ffmpeg.org/?p=ffmpeg.git;a=summary
> > or put "http://source.ffmpeg.org/?p=ffmpeg.git;a=commitdiff;h="
> > before each hash
> >
> > I tried to sort the issues a little according to type to make this huge list a
> > bit less ugly. Also feel free to skip things considered too minor, iam
> > not sure where the threshold of "too minor" is.
> >
> >
> > Out of array reads:
> > d209c27b09234cc40bbdbd680aa502b493edf595 vc1dec: fix invalid memory access for small video dimensions
> > aacf6b3a2fd8bc8603e3deaa6e612ea03cf08707 rv34: fix invalid memory access for small video dimensions
> > e7c1e38ba632f7315e332dd350b38f782f428884 qpeg: Check for overread in qpeg_decode_intra.
> > 8e09482e4d27d65bbce2ce5c2f4392216011ed09 vcr1dec: Check that there is sufficient input data.
> > 11ca3416f92744f376c08e5f31bcbe5d9b44acb2 v410dec: Check for sufficient input data.
> > bc6a3bd4a544608211f006e2d2868cbed4e1fde6 h264: Fix a possible overread in decode_nal_units()
> > ad3161ec1d70291efcf40121d703ef73c0b08e5b kvmc: fix invalid reads
> > 2b73cddd40bdfd7e3c21b2fe8cbfca0277d1f786 proresdec: Check yuv slice data sizes.
> > http://ffmpeg.org/trac/ffmpeg/ticket/812
> > f264d336fe61c12ce9607c3060aa5d3dca947c61 truespeech: fix invalid reads in truespeech_apply_twopoint_filter()
> > a8469223f6bb756a44f6579439fcae24ccc739b1 alac: Check for bitstream overread
> > http://ffmpeg.org/trac/ffmpeg/ticket/801
> > 00aad121d8a6f365641345a8321bdaac1ff80649 xl: Fix overreads
> > d0f7927177077799abe540f9195b5ce1fc089183 smacker: Check for overread in smka_decode_frame()
> > 30b996d443aeb105d0017b06ce590c55a0b2f9f4 flicvideo: input buffer pointer checks.
> > afb2bac48d0d044718c2da3d34a97bee244be2e3 flicvideo: fix overread.
> > a99273ebf328658c183c2d267f1c2b8bfac58bb3 ulti: Fix invalid reads
> > 53be37e368928e7f274e33ef8d118109da373c79 msrledec: Check for overreads
> > e1ba29c76430ce511fd901c8b7a1bd199b169dc0 4xm: check if there are bits left in decode_i_block()
> > http://ffmpeg.org/trac/ffmpeg/ticket/753
> > be5db7004f9d7b42b5ae9068b181dff383367e36 aascdec: Check input buffer size on raw data.
> > a40f6a5c698e314ab8c2770c1230ae0d0bd23a33 mpeg12dec: reset first_field with picture_structure changes.
> > http://ffmpeg.org/trac/ffmpeg/ticket/809
> >
> >
> > HEAP buffer overflows: (write)
> > ae21776207e8a2bbe268e7c9e203f7599dd87ddb lavfi: add missing check in avfilter_filter_samples()
> > Simple case of missing check, there wasnt much using the audio filters so
> > this probably is not practically exploitable
> >
> > 5257743aee0c3982f0079e6553aabc6aa39401d2 ws_snd1: Fix wrong samples count and crash.
> > Simple case of amount written and check mismatching
> >
> > 1f99939a6361e2e6d6788494dd7c682b051c6c34 j2kdec: Fix integer overflow leading to a segfault
> > http://ffmpeg.org/trac/ffmpeg/ticket/776
> > The check missed negative values, j2k is marked as experimental though so
> > depending on the user app this may require the user to enable it.
> >
> > 944f5b2779e4aa63f7624df6cd4de832a53db81b aacsbr: Fix memory corruption.
> > http://ffmpeg.org/trac/ffmpeg/ticket/760
> > v_off becoming negative and writes based on this overwriting various fields
> > of the struct which valgrind didnt detect.
> >
> > 7fff64e00d886fde11d61958888c82b461cf99b9 h264: check chroma_format_idc range.
> > http://ffmpeg.org/trac/ffmpeg/ticket/758
> >
> > 608708009f69ba4cecebf05120c696167494c897 adpcm: Fix crash
> > http://ffmpeg.org/trac/ffmpeg/ticket/794
> > Allocation for X channels, write for 2, this adds a X!=2 check
> >
> > 9af6abdc17deb95c9b1f1d9242ba49b8b5e0b016 atrac3: Fix crash in tonal component decoding.
> > http://ffmpeg.org/trac/ffmpeg/ticket/780
> > Simple case of index becoming bigger than array without checks
> >
> > 6d8e6fe9dbc365f50521cf0c4a5ffee97c970cb5 CODEC_ID_SOL_DPCM: Fix used write buffer.
> > Wrong pointer being used to write after recent audio API change.
> >
> > 3eedf9f716733b3b4c5205726d2c1ca52b3d3d78 j2kdec: Check curtileno for validity
> > Simple missing check for index and array size. j2k is marked as experimental though so
> > depending on the user app this may require the user to enable it.
> >
> > 21270cffaeab2f67a613907516b2b0cd6c9eacf4 h263dec: Fix regression / crash with lowres.
> > http://ffmpeg.org/trac/ffmpeg/ticket/757
> > memset of the full size in a reduced size buffer, this requires the user
> > to enable lowres
> >
> > HEAP+possible STACK buffer overflow: (write)
> > 282bb02839b1ce73963c8e3ee46804f1ade8b12a j2kdec: Fix crash in get_qcx
> > Simple missing check for index and array size. j2k is marked as experimental though so
> > depending on the user app this may require the user to enable it.
> >
> >
> > Infinite loops:
> > f0f2babca23a3d099bcd5a1e18cf5d0eae2f4ef3 Fix possible infinite loop decoding als.
> > e146ad95d79b1a6e6b9e566366b832825c79679f mlp_parser: Fix infinite loop with 0 bytes_left.
> > 5e9a56a0350c518cd4b38845aff49d41a9c952ae shorten: validate values in fmt chunk search
> > 964506bb979e8c972833c7421a39f3275d3cd3c0 golomb: Fix infinite loop in svq3_get_ue_golomb()
> > 0d4404ed65e6ebfdf5e3c09f9e3a2a41dde18e4a asfdec: fix endless loop on EOF
> > 58c41799ab6b52df86b6afe23304f34b62741326 lzo: fix memcpy_backptr() with 0 offset
> > e5de9289232c5b14572fa13e2435f9adb0b0f1ec Fix a possible endless loop when decoding aac.
> > 46d65fb8a574465499a470d0c34a30902e45176a mxfdec: Sanity check PreviousPartition
> > 2116e4ba917748c0985be2347d400ba0f3fe6c64 mxfdec: Check url_feof() in mxf_read_local_tags()
> > 3c7f75bd84b4c30a0f86a491a37f759dfaaab86d avidec: move eof check before continue.
> > http://ffmpeg.org/trac/ffmpeg/ticket/800
> > 7859740c6a2f9bc3dd247dc63b8e7cbd6181a5dd adx_parser: rewrite.
> > 3bf1d787b58cf268f3c055d6f2509fd75258450b adx_parser: Fix infinite loop.
> > 290e7eb77bee5a54182fb3d5fb122c1e117190da Fix possible endless loop when decoding amr.
> > e098fba5d9c9d52aaddd83e63dd910ff20b841d2 avidec: Fix infinite loop caused by rounding of timestamps in non interleaved avis.
> > http://ffmpeg.org/trac/ffmpeg/ticket/775
> >
> >
> > (near) Null pointer dereferences:
> > b9e0e9537a3ec4af1630e9f1b8d0ce68885cac16 nsvdec: Check av_malloc(string_size)
> > f41a6c8f3aeb51332bb359038cb504d3fb562a52 indeo5: Fix null pointer dereferences of ref_mb
> > 4b35ee0b7c0c4cbac3541a25a5e8c00b657c8f95 indeo5: fix null pointer crash with ref_mb
> > d46bc4133c104188dd6719365605e42bd1b5e2ff Fix crash due to partially initialized gop vars.
> > 5e5e69d0787ae4939f3f8e8d6c0342310eda28ee mxfdec: Check for NULL component
> > 134aaa79f7f1ce1df64afc7d10d2b3de77df7b08 indeo3: Fix null ptr dereference
> > http://ffmpeg.org/trac/ffmpeg/ticket/804
> > f27930cd9a2d4970b182024a42a9f5103c942f21 indeo5: Fix null pointer dereference
> > http://ffmpeg.org/trac/ffmpeg/ticket/803
> > 65f0f9183b99881af58e90e3ae2ad8b0181d52f1 tm2: Check remaining size before init_get_bits()
> > http://ffmpeg.org/trac/ffmpeg/ticket/800
> > f37b2d5a6884c7bea87a6c7454239381449bd637 aacdec: Fix null pointer crash
> > 115a57302a7d6661426304bec3a5bc72d0edf4b0 applehttp: Properly clean up if unable to probe a segment
> > 1dcce49e10dcebde9d2cc52565fa299c5fdfd691 soxdec: check av_malloc return.
> > 184f479096dabcb1eafd9c661304f410a76780ed mxfdec: Move the current_partition check inside mxf_read_header()
> > 1f273c2bf22c49e5f668debf52c497dabee636c7 ffmpeg: check return code from av_vsrc_buffer_add_frame()
> > http://ffmpeg.org/trac/ffmpeg/ticket/770
> >
> >
> > Division by zero:
> > 0d3a51e5d279dd2a56c81ba7a81a70128c5a7545 electronicarts: Fix division by zero. Fixes Ticket #793
> > http://ffmpeg.org/trac/ffmpeg/ticket/793
> > 92e2b59dec8c0124a209ce24f23450df9607d9d8 indeo5: fix division by 0 in ff_ivi_init_tiles()
> > 190a0998c353879c8f79f47678752dbb8fa62bb2 Fix a crash when reading gray pam files.
> > http://ffmpeg.org/trac/ffmpeg/ticket/837
> > fc5c49ab3247533e0a5cb203cf7122143389eb5c mpeg4videodec: Fix division by zero in mpeg4_decode_sprite_trajectory()
> > 628c9dcca3fb3f46f960f0df8236591653c6e512 j2kdec: fix division by zero, check tile dimensions for validity
> > 8d960fbc70d5d7b6cd62db22712a8d5c2c5e26bf ipmovie: fix FPE
> > http://ffmpeg.org/trac/ffmpeg/ticket/807
> > 6b6b84ae1625ce1e38ff5f1b4c0bf03450066e66 adxdec: Fix division by zero
> > e614fac2e6e185a247d722d4e92368b3c3bc4bdb adpcm: Check for channels to be a non-zero integer
> > 4af0262f7d531c33b00d7f9dbca808d9c62d6a84 cljr: Check if width or height are positive integers
> > 8b9b6332dfeb169098c8ab1351d66fc5b474dd55 mtv: Fix FPE with 0 dimensions.
> > http://ffmpeg.org/trac/ffmpeg/ticket/755
> > f371396dfb95c116a05e9b9f690fa916bb2d815e rl2demux: Fix FPE
> > 566ee0eaf1543101f7a441cc42e3ddad097363bf westwood: Make sure audio header info is present when parsing audio packets
> >
> >
> > Things that didnt fit in above:
> > 18bcfc912e48bf77a5202a0e24a3b884b9b2ff2c shorten: Fix invalid free()
> > Adding a offset after realloc() but not undoing that before a possible
> > 2nd realloc()
> >
> >
> > 6fcf2bb8af0e7d6bb179e71e67e5fab8ef0d2ec2 vorbis: Fix last quarter of CVE-2011-3893
> > This fixes a apparently forgoten case in the original patchset from google
> > Ive reproduced this by setting multiplier to the maximal value that it could
> > reach
> >
> > aa1c590b29d30b11c2f4830e6bc08e8f936f557f swr: fix assert failure
> >
> > 76b9a0961c33c9eb19b220c6f0edfbb3e79fcd59 riff: Fix freeing of random value.
> > someone tried to free an array from the stack
> > http://ffmpeg.org/trac/ffmpeg/ticket/752
> >
> >
> >
> > Thanks
> Can you or someone else take this and comment on the security
> implications of each of these? (code exec, dos, etc.) and indicate if it
> crosses a security boundary? (the list is to big for me to take on
> anytime this week).
The divisions by zero and null ptr dereferences should all allow one
to crash the lib and application. Which makes them DOS in some use
cases
The infinite loops should all be DOS
The out of array reads may or may not cause a crash
In case of the writes i dont feel qualified to call any with certainity
not "code exec" exploitable. Though i doubt
21270cffaeab2f67a613907516b2b0cd6c9eacf4 could be exploited, it just
writes a fixed byte value that the attacker cannot control
Nothing in ffmpeg runs with elevated rights so there should be no
way to get extra rights from any of these.
And almost all of these have been found through using zzuf so they
can be triggered by crafted input and that can be remote like via http
> Also are these all 2012 CVEs?
I dont know what seperates 2011 and 2012 CVEs ?
The list includes all things found after FFmpeg 0.9 (december 2011)
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
During times of universal deceit, telling the truth becomes a
revolutionary act. -- George Orwell
Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.