ubuntustudio-bugs team mailing list archive

Thread
Date
[Bug 980963] Re: Heap-based Buffer Overflow in libavcodec

To: ubuntustudio-bugs@xxxxxxxxxxxxxxxxxxx
From: Rolf Leggewie <980963@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 Jun 2015 11:29:07 -0000
Reply-to: Bug 980963 <980963@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
lucid has seen the end of its life and is no longer receiving any
updates. Marking the lucid task for this ticket as "Won't Fix".

** Changed in: ffmpeg (Ubuntu Lucid)
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to libav in Ubuntu.
Matching subscriptions: Ubuntu Studio Bugs
https://bugs.launchpad.net/bugs/980963

Title:
  Heap-based Buffer Overflow in libavcodec

Status in ffmpeg package in Ubuntu:
  Invalid
Status in libav package in Ubuntu:
  Fix Released
Status in ffmpeg source package in Lucid:
  Won't Fix
Status in libav source package in Lucid:
  Invalid
Status in ffmpeg source package in Natty:
  Invalid
Status in libav source package in Natty:
  Won't Fix
Status in ffmpeg source package in Oneiric:
  Invalid
Status in libav source package in Oneiric:
  Won't Fix
Status in ffmpeg source package in Precise:
  Invalid
Status in libav source package in Precise:
  Triaged
Status in ffmpeg source package in Quantal:
  Invalid
Status in libav source package in Quantal:
  Fix Released

Bug description:
  A vulnerability in the decoder for VQA media files exists in function
  vqa_decode_chunk (libavcodec/vqavideo.c) of libavcodec (part of
  FFmpeg). This vulnerability allows memory on the heap to be corrupted
  and possibly leads o arbitrary code execution.

  Here's the relevant excerpt from vqa_decode_chunk:

  1 int lobytes = 0;
  2 int hibytes = s->decode_buffer_size / 2;
  3 ...
  4 for (y = 0; y < s->frame.linesize[0] * s->height;
  5   y += s->frame.linesize[0] * s->vector_height) {
  6
  7   for (x = y; x < y + s->width; x += 4, lobytes++, hibytes++) {
  8        pixel_ptr = x;
  9       /* get the vector index, the method for which varies according to
  10          * VQA file version */
  11        switch (s->vqa_version) {
  12        case 1:
  13          ...
  14        case 2:
  15            lobyte = s->decode_buffer[lobytes];
  16            hibyte = s->decode_buffer[hibytes];
  17            vector_index = (hibyte << 8) | lobyte;
  18            vector_index <<= index_shift;
  19            lines = s->vector_height;
  20            break;
  21
  22        case 3:
  23          ...
  24       }
  25        while (lines--) {
  26           s->frame.data[0][pixel_ptr + 0] = s->codebook[vector_index++];
  27           s->frame.data[0][pixel_ptr + 1] = s->codebook[vector_index++];
  28            s->frame.data[0][pixel_ptr + 2] = s->codebook[vector_index++];
  29           s->frame.data[0][pixel_ptr + 3] = s->codebook[vector_index++];
  30            pixel_ptr += s->frame.linesize[0];
  31        }
  32    }
  33 }

  This function fills the pixel buffer (s->frame.data[0]) in tiles of
  4x4 pixels on lines 25 to 30. The problem is that a check to verify
  that the index still addresses a location inside the buffer is
  performed only by the conditions of the for-loops on line 4 and 7,
  however, for the inner while-loop starting on line 25, no such check
  exists. In consequence, up to three extra lines can be written beyond
  the end of the buffer.

  A sample file has been attached, which causes a crash on Ubuntu 11.10
  (32 bit) when played with mplayer. We hope this information is useful
  to you.

  
  Fabian Yamaguchi - University of Goettingen
  Markus Lottmann - Technische Universitaet Berlin

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/980963/+subscriptions