Re: CVE-2014-4610: Integer Overflow in FFmpeg LZO implementation
Hi,
On 01.07.2014 16:27, Moritz Muehlenhoff wrote:
> On Tue, Jul 01, 2014 at 10:01:35AM +1000, Matt Palmer wrote:
> > On Fri, Jun 27, 2014 at 07:30:11PM +0200, Andreas Cadhalpun wrote:
> > > I'd like to inform you that ffmpeg 0.5.10-1 in squeeze is
> > > vulnerable to CVE-2014-4610 [1].
> > > The fix [2] should be easily backportable.
> >
> > Thanks for taking the time to send this info through.
> >
> > This bug has been marked as "wontfix" for squeeze; the rationale
> > provided was "end-of-life; Backports to 0.5.x not useful, too many
> > checks missing".
As this seems to be a rather important security bug, I think a backport
would be useful in this case. I'm afraid I don't understand the part
about 'too many checks missing'.
> > I'm not an expert in all things ffmpeg, and I wasn't the one who
> > added that note; I've Cc'd the person who added that notation to
> > provide further rationale if you need it.
>
> If there are isolated patch which apply the 0.5.x, they can be
> shipped. Raphael was also planning to push some fixes.
It's really trivial to backport this fix, as the buggy code didn't
really change since 0.5. Attached is a patch against 0.5.10-1.
Best regards,
Andreas
--- ffmpeg-0.5.10.orig/libavutil/lzo.c
+++ ffmpeg-0.5.10/libavutil/lzo.c
@@ -62,7 +62,13 @@ static inline int get_byte(LZOContext *c) {
static inline int get_len(LZOContext *c, int x, int mask) {
int cnt = x & mask;
if (!cnt) {
- while (!(x = get_byte(c))) cnt += 255;
+ while (!(x = get_byte(c))) {
+ if (cnt >= INT_MAX - 1000) {
+ c->error |= AV_LZO_ERROR;
+ break;
+ }
+ cnt += 255;
+ }
cnt += mask + x;
}
return cnt;
Reply to: