diff -Nru libav-0.8.16/Changelog libav-0.8.17/Changelog --- libav-0.8.16/Changelog 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/Changelog 2015-03-10 02:21:55.000000000 +0000 @@ -1,10 +1,27 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.8.17: + +- utvideodec: Handle slice_height being zero (CVE-2014-9604) +- tiff: Check that there is no aliasing in pixel format selection (CVE-2014-8544) +- rmenc: limit packet size +- eamad: check for out of bounds read (CID/1257500) +- h264_cabac: Break infinite loops +- matroskadec: Fix read-after-free in matroska_read_seek() (chromium/427266) +- gifdec: refactor interleave end handling (CVE-2014-8547) +- smc: fix the bounds check (CVE-2014-8548) +- mmvideo: check frame dimensions (CVE-2014-8543) +- jvdec: check frame dimensions (CVE-2014-8542) +- mov: avoid a memleak when multiple stss boxes are present +- apetag: Fix APE tag size check +- x86: Only use optimizations with cmov if the CPU supports the instruction +- x86: Add CPU flag for the i686 cmov instruction + version 0.8.16: - avcodec: Add more missing #includes for ff_get_buffer() -- ffv1dec: check that global parameters do not change in version 0/1 +- ffv1dec: check that global parameters do not change in version 0/1 (CVE-2013-7020) - arm: dsputil: fix overreads in put/avg_pixels functions - arm: dsputil: prettify some conditional instructions in put_pixels macros - arm/neon: dsputil: use correct size specifiers on vld1/vst1 @@ -19,11 +36,11 @@ - svq1enc: Set picture_structure correctly - adpcmenc: Calculate the IMA_QT predictor without overflow - ffmpeg: Clarify wording of ffmpeg --> avconv deprecation message -- doc: Fix syntax and logical errors in avconv stream combination example +- doc: Fix syntax and logical errors in avconv stream combination example (libav/661) version 0.8.15: -- avcodec: Introduce ff_get_buffer +- avcodec: Introduce ff_get_buffer (CVE-2011-3935) - configure: Check for -Werror parameters on clang - lavf: Fix leftovers from the ff_get_buffer patch @@ -222,7 +239,7 @@ - 8bps: Bound-check the input buffer - rtmp: Do not misuse memcmp - rtmp: rename data_size to size -- lavc: set the default rc_initial_buffer_occupancy +- lavc: set the default rc_initial_buffer_occupancy (libav/222, ubuntu/1023408) - 4xm: Reject not a multiple of 16 dimension - 4xm: do not overread the prestream buffer - 4xm: validate the buffer size before parsing it diff -Nru libav-0.8.16/debian/changelog libav-0.8.17/debian/changelog --- libav-0.8.16/debian/changelog 2014-09-16 17:20:09.000000000 +0000 +++ libav-0.8.17/debian/changelog 2015-03-16 12:15:04.000000000 +0000 @@ -1,3 +1,15 @@ +libav (4:0.8.17-0ubuntu0.12.04.1) precise-security; urgency=medium + + * Update to 0.8.17 to fix multiple security issues (LP: #1432610) + - CVE-2014-8542 + - CVE-2014-8543 + - CVE-2014-8544 + - CVE-2014-8547 + - CVE-2014-8548 + - CVE-2014-9604 + + -- Marc Deslauriers Mon, 16 Mar 2015 08:10:23 -0400 + libav (4:0.8.16-0ubuntu0.12.04.1) precise-security; urgency=medium * Update to 0.8.16 to fix multiple security issues (LP: #1370175) diff -Nru libav-0.8.16/doc/APIchanges libav-0.8.17/doc/APIchanges --- libav-0.8.16/doc/APIchanges 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/doc/APIchanges 2015-03-10 02:21:55.000000000 +0000 @@ -13,6 +13,9 @@ API changes, most recent first: +2014-09-16 - 8637f4e - lavu 51.22.3 - cpu.h + Add AV_CPU_FLAG_CMOV. + 2012-03-04 - 7f3f855 - lavu 51.22.1 - error.h Add AVERROR_UNKNOWN diff -Nru libav-0.8.16/libavcodec/eamad.c libav-0.8.17/libavcodec/eamad.c --- libav-0.8.16/libavcodec/eamad.c 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/libavcodec/eamad.c 2015-03-10 02:21:55.000000000 +0000 @@ -138,6 +138,11 @@ break; } else if (level != 0) { i += run; + if (i > 63) { + av_log(s->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); + return; + } j = scantable[i]; level = (level*quant_matrix[j]) >> 4; level = (level-1)|1; @@ -152,6 +157,11 @@ run = SHOW_UBITS(re, &s->gb, 6)+1; LAST_SKIP_BITS(re, &s->gb, 6); i += run; + if (i > 63) { + av_log(s->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); + return; + } j = scantable[i]; if (level < 0) { level = -level; @@ -163,10 +173,6 @@ level = (level-1)|1; } } - if (i > 63) { - av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); - return; - } block[j] = level; } diff -Nru libav-0.8.16/libavcodec/gifdec.c libav-0.8.17/libavcodec/gifdec.c --- libav-0.8.16/libavcodec/gifdec.c 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/libavcodec/gifdec.c 2015-03-10 02:21:55.000000000 +0000 @@ -125,26 +125,21 @@ case 1: y1 += 8; ptr += linesize * 8; - if (y1 >= height) { - y1 = pass ? 2 : 4; - ptr = ptr1 + linesize * y1; - pass++; - } break; case 2: y1 += 4; ptr += linesize * 4; - if (y1 >= height) { - y1 = 1; - ptr = ptr1 + linesize; - pass++; - } break; case 3: y1 += 2; ptr += linesize * 2; break; } + while (y1 >= height) { + y1 = 4 >> pass; + ptr = ptr1 + linesize * y1; + pass++; + } } else { ptr += linesize; } diff -Nru libav-0.8.16/libavcodec/h264_cabac.c libav-0.8.17/libavcodec/h264_cabac.c --- libav-0.8.16/libavcodec/h264_cabac.c 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/libavcodec/h264_cabac.c 2015-03-10 02:21:55.000000000 +0000 @@ -1719,7 +1719,7 @@ \ if( coeff_abs >= 15 ) { \ int j = 0; \ - while( get_cabac_bypass( CC ) ) { \ + while (get_cabac_bypass(CC) && j < 30) { \ j++; \ } \ \ diff -Nru libav-0.8.16/libavcodec/jvdec.c libav-0.8.17/libavcodec/jvdec.c --- libav-0.8.16/libavcodec/jvdec.c 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/libavcodec/jvdec.c 2015-03-10 02:21:55.000000000 +0000 @@ -42,6 +42,14 @@ JvContext *s = avctx->priv_data; avctx->pix_fmt = PIX_FMT_PAL8; dsputil_init(&s->dsp, avctx); + + if (!avctx->width || !avctx->height || + (avctx->width & 7) || (avctx->height & 7)) { + av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n", + avctx->width, avctx->height); + return AVERROR(EINVAL); + } + return 0; } diff -Nru libav-0.8.16/libavcodec/mmvideo.c libav-0.8.17/libavcodec/mmvideo.c --- libav-0.8.16/libavcodec/mmvideo.c 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/libavcodec/mmvideo.c 2015-03-10 02:21:55.000000000 +0000 @@ -60,6 +60,13 @@ avctx->pix_fmt = PIX_FMT_PAL8; + if (!avctx->width || !avctx->height || + (avctx->width & 1) || (avctx->height & 1)) { + av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n", + avctx->width, avctx->height); + return AVERROR(EINVAL); + } + s->frame.reference = 1; return 0; diff -Nru libav-0.8.16/libavcodec/smc.c libav-0.8.17/libavcodec/smc.c --- libav-0.8.16/libavcodec/smc.c 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/libavcodec/smc.c 2015-03-10 02:21:55.000000000 +0000 @@ -69,7 +69,7 @@ row_ptr += stride * 4; \ } \ total_blocks--; \ - if (total_blocks < 0) \ + if (total_blocks < !!n_blocks) \ { \ av_log(s->avctx, AV_LOG_INFO, "warning: block counter just went negative (this should not happen)\n"); \ return; \ diff -Nru libav-0.8.16/libavcodec/tiff.c libav-0.8.17/libavcodec/tiff.c --- libav-0.8.16/libavcodec/tiff.c 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/libavcodec/tiff.c 2015-03-10 02:21:55.000000000 +0000 @@ -218,6 +218,14 @@ int i, ret; uint32_t *pal; + // make sure there is no aliasing in the following switch + if (s->bpp >= 100 || s->bppcount >= 10) { + av_log(s->avctx, AV_LOG_ERROR, + "Unsupported image parameters: bpp=%d, bppcount=%d\n", + s->bpp, s->bppcount); + return AVERROR_INVALIDDATA; + } + switch (s->bpp * 10 + s->bppcount) { case 11: s->avctx->pix_fmt = PIX_FMT_MONOBLACK; diff -Nru libav-0.8.16/libavcodec/utvideo.c libav-0.8.17/libavcodec/utvideo.c --- libav-0.8.16/libavcodec/utvideo.c 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/libavcodec/utvideo.c 2015-03-10 02:21:55.000000000 +0000 @@ -246,6 +246,8 @@ for (slice = 0; slice < slices; slice++) { slice_start = ((slice * height) / slices) & cmask; slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; + if (!slice_height) + continue; bsrc = src + slice_start * stride; @@ -301,6 +303,8 @@ slice_start = ((slice * height) / slices) & cmask; slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; slice_height >>= 1; + if (!slice_height) + continue; bsrc = src + slice_start * stride; diff -Nru libav-0.8.16/libavcodec/x86/dsputil_mmx.c libav-0.8.17/libavcodec/x86/dsputil_mmx.c --- libav-0.8.16/libavcodec/x86/dsputil_mmx.c 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/libavcodec/x86/dsputil_mmx.c 2015-03-10 02:21:55.000000000 +0000 @@ -2683,7 +2683,8 @@ c->add_hfyu_median_prediction = ff_add_hfyu_median_prediction_mmx2; #endif #if HAVE_7REGS - if (HAVE_AMD3DNOW && (mm_flags & AV_CPU_FLAG_3DNOW)) + if (HAVE_AMD3DNOW && (mm_flags & AV_CPU_FLAG_3DNOW) && + (mm_flags & AV_CPU_FLAG_CMOV)) c->add_hfyu_median_prediction = add_hfyu_median_prediction_cmov; #endif diff -Nru libav-0.8.16/libavcodec/x86/h264dsp_mmx.c libav-0.8.17/libavcodec/x86/h264dsp_mmx.c --- libav-0.8.16/libavcodec/x86/h264dsp_mmx.c 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/libavcodec/x86/h264dsp_mmx.c 2015-03-10 02:21:55.000000000 +0000 @@ -361,7 +361,8 @@ if (chroma_format_idc <= 1) c->h264_idct_add8 = ff_h264_idct_add8_8_mmx; c->h264_idct_add16intra = ff_h264_idct_add16intra_8_mmx; - c->h264_luma_dc_dequant_idct= ff_h264_luma_dc_dequant_idct_mmx; + if (mm_flags & AV_CPU_FLAG_CMOV) + c->h264_luma_dc_dequant_idct = ff_h264_luma_dc_dequant_idct_mmx; if (mm_flags & AV_CPU_FLAG_MMX2) { c->h264_idct_dc_add = ff_h264_idct_dc_add_8_mmx2; diff -Nru libav-0.8.16/libavcodec/x86/h264_intrapred_init.c libav-0.8.17/libavcodec/x86/h264_intrapred_init.c --- libav-0.8.16/libavcodec/x86/h264_intrapred_init.c 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/libavcodec/x86/h264_intrapred_init.c 2015-03-10 02:21:55.000000000 +0000 @@ -188,7 +188,8 @@ if (chroma_format_idc <= 1) h->pred8x8 [PLANE_PRED8x8] = ff_pred8x8_plane_mmx; if (codec_id == CODEC_ID_SVQ3) { - h->pred16x16[PLANE_PRED8x8] = ff_pred16x16_plane_svq3_mmx; + if (mm_flags & AV_CPU_FLAG_CMOV) + h->pred16x16[PLANE_PRED8x8] = ff_pred16x16_plane_svq3_mmx; } else if (codec_id == CODEC_ID_RV40) { h->pred16x16[PLANE_PRED8x8] = ff_pred16x16_plane_rv40_mmx; } else { diff -Nru libav-0.8.16/libavformat/apetag.c libav-0.8.17/libavformat/apetag.c --- libav-0.8.16/libavformat/apetag.c 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/libavformat/apetag.c 2015-03-10 02:21:55.000000000 +0000 @@ -51,8 +51,10 @@ av_log(s, AV_LOG_WARNING, "Invalid APE tag key '%s'.\n", key); return -1; } - if (size >= UINT_MAX) - return -1; + if (size > INT32_MAX - FF_INPUT_BUFFER_PADDING_SIZE) { + av_log(s, AV_LOG_ERROR, "APE tag size too large.\n"); + return AVERROR_INVALIDDATA; + } value = av_malloc(size+1); if (!value) return AVERROR(ENOMEM); diff -Nru libav-0.8.16/libavformat/matroskadec.c libav-0.8.17/libavformat/matroskadec.c --- libav-0.8.16/libavformat/matroskadec.c 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/libavformat/matroskadec.c 2015-03-10 02:21:55.000000000 +0000 @@ -1974,7 +1974,7 @@ int64_t timestamp, int flags) { MatroskaDemuxContext *matroska = s->priv_data; - MatroskaTrack *tracks = matroska->tracks.elem; + MatroskaTrack *tracks = NULL; AVStream *st = s->streams[stream_index]; int i, index, index_sub, index_min; @@ -2003,6 +2003,7 @@ return 0; index_min = index; + tracks = matroska->tracks.elem; for (i=0; i < matroska->tracks.nb_elem; i++) { tracks[i].audio.pkt_cnt = 0; tracks[i].audio.sub_packet_cnt = 0; diff -Nru libav-0.8.16/libavformat/mov.c libav-0.8.17/libavformat/mov.c --- libav-0.8.16/libavformat/mov.c 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/libavformat/mov.c 2015-03-10 02:21:55.000000000 +0000 @@ -1523,6 +1523,7 @@ return 0; if (entries >= UINT_MAX / sizeof(int)) return AVERROR_INVALIDDATA; + av_freep(&sc->keyframes); sc->keyframes = av_malloc(entries * sizeof(int)); if (!sc->keyframes) return AVERROR(ENOMEM); diff -Nru libav-0.8.16/libavformat/rmenc.c libav-0.8.17/libavformat/rmenc.c --- libav-0.8.16/libavformat/rmenc.c 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/libavformat/rmenc.c 2015-03-10 02:21:55.000000000 +0000 @@ -44,6 +44,10 @@ /* in ms */ #define BUFFER_DURATION 0 +/* the header needs at most 7 + 4 + 12 B */ +#define MAX_HEADER_SIZE (7 + 4 + 12) +/* UINT16_MAX is the maximal chunk size */ +#define MAX_PACKET_SIZE (UINT16_MAX - MAX_HEADER_SIZE) static void put_str(AVIOContext *s, const char *tag) @@ -387,6 +391,10 @@ /* Well, I spent some time finding the meaning of these bits. I am not sure I understood everything, but it works !! */ #if 1 + if (size > MAX_PACKET_SIZE) { + av_log_missing_feature(s, "Muxing packets larger than 64 kB", 0); + return AVERROR(ENOSYS); + } write_packet_header(s, stream, size + 7 + (size >= 0x4000)*4, key_frame); /* bit 7: '1' if final packet of a frame converted in several packets */ avio_w8(pb, 0x81); diff -Nru libav-0.8.16/libavutil/avutil.h libav-0.8.17/libavutil/avutil.h --- libav-0.8.16/libavutil/avutil.h 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/libavutil/avutil.h 2015-03-10 02:21:55.000000000 +0000 @@ -155,7 +155,7 @@ #define LIBAVUTIL_VERSION_MAJOR 51 #define LIBAVUTIL_VERSION_MINOR 22 -#define LIBAVUTIL_VERSION_MICRO 2 +#define LIBAVUTIL_VERSION_MICRO 3 #define LIBAVUTIL_VERSION_INT AV_VERSION_INT(LIBAVUTIL_VERSION_MAJOR, \ LIBAVUTIL_VERSION_MINOR, \ diff -Nru libav-0.8.16/libavutil/cpu.c libav-0.8.17/libavutil/cpu.c --- libav-0.8.16/libavutil/cpu.c 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/libavutil/cpu.c 2015-03-10 02:21:55.000000000 +0000 @@ -64,6 +64,7 @@ { AV_CPU_FLAG_FMA4, "fma4" }, { AV_CPU_FLAG_3DNOW, "3dnow" }, { AV_CPU_FLAG_3DNOWEXT, "3dnowext" }, + { AV_CPU_FLAG_CMOV, "cmov" }, #endif { 0 } }; diff -Nru libav-0.8.16/libavutil/cpu.h libav-0.8.17/libavutil/cpu.h --- libav-0.8.16/libavutil/cpu.h 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/libavutil/cpu.h 2015-03-10 02:21:55.000000000 +0000 @@ -41,6 +41,7 @@ #define AV_CPU_FLAG_XOP 0x0400 ///< Bulldozer XOP functions #define AV_CPU_FLAG_FMA4 0x0800 ///< Bulldozer FMA4 functions #define AV_CPU_FLAG_IWMMXT 0x0100 ///< XScale IWMMXT +#define AV_CPU_FLAG_CMOV 0x1000 ///< i686 cmov #define AV_CPU_FLAG_ALTIVEC 0x0001 ///< standard /** diff -Nru libav-0.8.16/libavutil/x86/cpu.c libav-0.8.17/libavutil/x86/cpu.c --- libav-0.8.16/libavutil/x86/cpu.c 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/libavutil/x86/cpu.c 2015-03-10 02:21:55.000000000 +0000 @@ -83,6 +83,8 @@ cpuid(1, eax, ebx, ecx, std_caps); family = ((eax>>8)&0xf) + ((eax>>20)&0xff); model = ((eax>>4)&0xf) + ((eax>>12)&0xf0); + if (std_caps & (1 << 15)) + rval |= AV_CPU_FLAG_CMOV; if (std_caps & (1<<23)) rval |= AV_CPU_FLAG_MMX; if (std_caps & (1<<25)) diff -Nru libav-0.8.16/RELEASE libav-0.8.17/RELEASE --- libav-0.8.16/RELEASE 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/RELEASE 2015-03-10 02:21:55.000000000 +0000 @@ -1 +1 @@ -0.8.16 +0.8.17 diff -Nru libav-0.8.16/VERSION libav-0.8.17/VERSION --- libav-0.8.16/VERSION 2014-09-10 20:07:29.000000000 +0000 +++ libav-0.8.17/VERSION 2015-03-10 02:21:55.000000000 +0000 @@ -1 +1 @@ -0.8.16 +0.8.17