[FFmpeg-devel] Security issues?

[Michael Niedermayer]

On Tue, Sep 22, 2009 at 08:09:08PM +0200, Michael Niedermayer wrote:
> Hi
> 
> lars has mailed me the following 2 links
> http://www.heise.de/newsticker/Sicherheitsluecken-in-VLC-und-FFmpeg--/meldung/145655
> http://secunia.com/advisories/36805/

another issue in vorbis_dec.c

        for(j=0;j<mapping_setup->submaps;++j) {
            skip_bits(gb, 8); // FIXME check?

            mapping_setup->submap_floor[j]=get_bits(gb, 8);
            mapping_setup->submap_residue[j]=get_bits(gb, 8);

these 2 arent being checked and then used as index into an array
from where a function ptr is used:
        vorbis_floor *floor;
        if (mapping->submaps>1) {
            floor=&vc->floors[mapping->submap_floor[mapping->mux[i]]];
        } else {
            floor=&vc->floors[mapping->submap_floor[0]];
        }

        no_residue[i]=floor->decode(vc, &floor->data, ch_floor_ptr);
the size of that array seems to be just:
vc->floors=av_mallocz(vc->floor_count * sizeof(vorbis_floor));

chromes patch for it:
http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/patches/to_upstream/10_vorbis_submap_indexes.patch?revision=24214&view=markup

i suggest this one should be applied (after someone reviewed it)

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

In a rich man's house there is no place to spit but his face.
-- Diogenes of Sinope
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090922/6898720a/attachment.pgp>