The following message is a courtesy copy of an article
that has been posted to gmane.linux.debian.devel.release as well.
Hi,
Please unblock ffmpeg_4:0.5.2-6. It fixes CVE-2010-3429.
thanks!
Diff inline:
Changes at tags/debian/0.5.2-5
Modified debian/changelog
diff --git a/debian/changelog b/debian/changelog
index ee4457a..61ed386 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ffmpeg (4:0.5.2-6) unstable; urgency=high
+
+ * Fix several security issues in flicvideo.c.
+Fixes: CVE-2010-3429, Closes: #598590
+ * Raising severity to high because of security issue.
+
+ -- Reinhard Tartler siret...@tauware.de Sun, 03 Oct 2010 16:59:39 +0200
+
ffmpeg (4:0.5.2-5) unstable; urgency=low
[ Dominic Evans ]
New debian/patches/fix-CVE-2010-3429.patch
diff --git a/debian/patches/fix-CVE-2010-3429.patch
b/debian/patches/fix-CVE-2010-3429.patch
new file mode 100644
index 000..8d07a13
--- /dev/null
+++ b/debian/patches/fix-CVE-2010-3429.patch
@@ -0,0 +1,107 @@
+From: michael
+Subject: Fix several security issues in flicvideo.c
+
+This fixes CVE-2010-3429
+
+backport r25223 by michael
+
+--- a/libavcodec/flicvideo.c (revision 25324)
b/libavcodec/flicvideo.c (revision 25325)
+@@ -160,7 +160,7 @@
+ int pixel_skip;
+ int pixel_countdown;
+ unsigned char *pixels;
+-int pixel_limit;
++unsigned int pixel_limit;
+
+ s-frame.reference = 1;
+ s-frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE
| FF_BUFFER_HINTS_REUSABLE;
+@@ -254,10 +254,13 @@
+ av_log(avctx, AV_LOG_ERROR, Undefined opcode (%x) in
DELTA_FLI\n, line_packets);
+ } else if ((line_packets 0xC000) == 0x8000) {
+ // last byte opcode
+-pixels[y_ptr + s-frame.linesize[0] - 1] = line_packets
0xff;
++pixel_ptr= y_ptr + s-frame.linesize[0] - 1;
++CHECK_PIXEL_PTR(0);
++pixels[pixel_ptr] = line_packets 0xff;
+ } else {
+ compressed_lines--;
+ pixel_ptr = y_ptr;
++CHECK_PIXEL_PTR(0);
+ pixel_countdown = s-avctx-width;
+ for (i = 0; i line_packets; i++) {
+ /* account for the skip bytes */
+@@ -269,7 +272,7 @@
+ byte_run = -byte_run;
+ palette_idx1 = buf[stream_ptr++];
+ palette_idx2 = buf[stream_ptr++];
+-CHECK_PIXEL_PTR(byte_run);
++CHECK_PIXEL_PTR(byte_run * 2);
+ for (j = 0; j byte_run; j++, pixel_countdown -=
2) {
+ pixels[pixel_ptr++] = palette_idx1;
+ pixels[pixel_ptr++] = palette_idx2;
+@@ -299,6 +302,7 @@
+ stream_ptr += 2;
+ while (compressed_lines 0) {
+ pixel_ptr = y_ptr;
++CHECK_PIXEL_PTR(0);
+ pixel_countdown = s-avctx-width;
+ line_packets = buf[stream_ptr++];
+ if (line_packets 0) {
+@@ -454,7 +458,7 @@
+ int pixel_countdown;
+ unsigned char *pixels;
+ int pixel;
+-int pixel_limit;
++unsigned int pixel_limit;
+
+ s-frame.reference = 1;
+ s-frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE
| FF_BUFFER_HINTS_REUSABLE;
+@@ -504,6 +508,7 @@
+ } else {
+ compressed_lines--;
+ pixel_ptr = y_ptr;
++CHECK_PIXEL_PTR(0);
+ pixel_countdown = s-avctx-width;
+ for (i = 0; i line_packets; i++) {
+ /* account for the skip bytes */
+@@ -515,13 +520,13 @@
+ byte_run = -byte_run;
+ pixel= AV_RL16(buf[stream_ptr]);
+ stream_ptr += 2;
+-CHECK_PIXEL_PTR(byte_run);
++CHECK_PIXEL_PTR(2 * byte_run);
+ for (j = 0; j byte_run; j++, pixel_countdown -=
2) {
+ *((signed short*)(pixels[pixel_ptr])) =
pixel;
+ pixel_ptr += 2;
+ }
+ } else {
+-CHECK_PIXEL_PTR(byte_run);
++CHECK_PIXEL_PTR(2 * byte_run);
+ for (j = 0; j byte_run; j++, pixel_countdown--)
{
+ *((signed short*)(pixels[pixel_ptr])) =
AV_RL16(buf[stream_ptr]);
+ stream_ptr += 2;
+@@ -612,7 +617,7 @@
+ if (byte_run 0) {
+ pixel= AV_RL16(buf[stream_ptr]);
+ stream_ptr += 2
