[FFmpeg-devel] Security issues?
Michael Niedermayer
michaelni
Tue Sep 22 22:44:07 CEST 2009
On Tue, Sep 22, 2009 at 10:42:14PM +0200, Michael Niedermayer wrote:
> On Tue, Sep 22, 2009 at 08:09:08PM +0200, Michael Niedermayer wrote:
> > Hi
> >
> > lars has mailed me the following 2 links
> > http://www.heise.de/newsticker/Sicherheitsluecken-in-VLC-und-FFmpeg--/meldung/145655
> > http://secunia.com/advisories/36805/
>
> heres another one for vorbis that appears security relevant
> http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/patches/to_upstream/23_vorbis_sane_partition.patch?view=markup
>
> one issue is
> uint_fast16_t n_to_read=vr->end-vr->begin; <-- overflow, could end at 0xFFFF, 0xFFFFFFFF or others
> uint_fast16_t ptns_to_read=n_to_read/vr->partition_size;
> uint_fast8_t classifs[ptns_to_read*vc->audio_channels]; <-- can end up way too big for the stack space available
>
> also obviously as ptns_to_read is used later in code writing
>
> again, please someone who knows vorbis_dec.c review and commit this if its ok
> and fixes the issue
also note, 1<<20 is possibly too big for the stack
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Old school: Use the lowest level language in which you can solve the problem
conveniently.
New school: Use the highest level language in which the latest supercomputer
can solve the problem without the user falling asleep waiting.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090922/3f097195/attachment.pgp>
More information about the ffmpeg-devel
mailing list