Hi Diego,
> In the meantime I have had an epiphany and found a simpler fix for the
> issue after staring at the code during the refactoring backport. I'll
> do some final tests and push it tomorrow.
>
> (...)
>
> The reporter claims that it's specific to one clang version (3.8.1).
> I have installed that clang version and will retry to reproduce the
> issue.
Any update on it ? Are you going to issue a new point release ?
There are now 32 open CVEs potentially affecting libav in wheezy.
I have reviewed some ffmpeg patches, and they seem to be fine. Could you
have a look at them, and maybe merge them for the next point release ?
* check-element-type-before-applying-sbr.patch:
Imported from ffmpeg[0], should fix CVE-2015-6820.
* clear-pointers-allocate_buffers.patch:
Imported from ffmpeg[1], adapted, should fix CVE-2015-6823.
* clear-pix-buffers.patch:
Imported from ffmpeg[2], should fix CVE-2015-6824.
By the way, I have not tested whether libav was affected or not, but the
code is very similar, so it is very likely that libav is also affected.
Regards,
Hugo
[0] http://git.videolan.org/?p=ffmpeg.git;a=commit;h=79a98294da6cd85f8c86b34764c5e0c43b09eea3
[1] http://git.videolan.org/?p=ffmpeg.git;a=commit;h=f7068bf277a37479aecde2832208d820682b35e6
[2] http://git.videolan.org/?p=ffmpeg.git;a=commit;h=a5d44d5c220e12ca0cb7a4eceb0f74759cb13111
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
--- a/libavcodec/alac.c 2016-12-09 17:52:14.000000000 +0100
+++ b/libavcodec/alac.c 2016-12-09 17:58:46.796066934 +0100
@@ -552,6 +552,13 @@
static int allocate_buffers(ALACContext *alac)
{
int ch;
+
+ for (ch = 0; ch < MAX_CHANNELS; ch++) {
+ alac->predicterror_buffer[ch] = NULL;
+ alac->outputsamples_buffer[ch] = NULL;
+ alac->extra_bits_buffer[ch] = NULL;
+ }
+
for (ch = 0; ch < alac->numchannels; ch++) {
int buf_size = alac->setinfo_max_samples_per_frame * sizeof(int32_t);
--- a/libswscale/utils.c 2016-12-09 11:40:14.000000000 +0100
+++ b/libswscale/utils.c 2016-12-09 17:56:04.252490190 +0100
@@ -1027,9 +1027,9 @@
// allocate pixbufs (we use dynamic allocation because otherwise we would need to
// allocate several megabytes to handle all possible cases)
- FF_ALLOC_OR_GOTO(c, c->lumPixBuf, c->vLumBufSize*3*sizeof(int16_t*), fail);
- FF_ALLOC_OR_GOTO(c, c->chrUPixBuf, c->vChrBufSize*3*sizeof(int16_t*), fail);
- FF_ALLOC_OR_GOTO(c, c->chrVPixBuf, c->vChrBufSize*3*sizeof(int16_t*), fail);
+ FF_ALLOCZ_OR_GOTO(c, c->lumPixBuf, c->vLumBufSize*3*sizeof(int16_t*), fail);
+ FF_ALLOCZ_OR_GOTO(c, c->chrUPixBuf, c->vChrBufSize*3*sizeof(int16_t*), fail);
+ FF_ALLOCZ_OR_GOTO(c, c->chrVPixBuf, c->vChrBufSize*3*sizeof(int16_t*), fail);
if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat) && isALPHA(c->dstFormat))
FF_ALLOCZ_OR_GOTO(c, c->alpPixBuf, c->vLumBufSize*3*sizeof(int16_t*), fail);
//Note we need at least one pixel more at the end because of the MMX code (just in case someone wanna replace the 4000/8000)
--- a/libavcodec/aacsbr.c 2016-09-29 19:32:39.000000000 +0200
+++ b/libavcodec/aacsbr.c 2016-12-09 11:01:05.468682746 +0100
@@ -990,6 +990,8 @@
{
unsigned int cnt = get_bits_count(gb);
+ sbr->id_aac = id_aac;
+
if (id_aac == TYPE_SCE || id_aac == TYPE_CCE) {
if (read_sbr_single_channel_element(ac, sbr, gb)) {
sbr->start = 0;
@@ -1718,6 +1720,12 @@
int ch;
int nch = (id_aac == TYPE_CPE) ? 2 : 1;
+ if (id_aac != sbr->id_aac) {
+ av_log(ac->avctx, AV_LOG_ERROR,
+ "element type mismatch %d != %d\n", id_aac, sbr->id_aac);
+ sbr_turnoff(sbr);
+ }
+
if (sbr->start) {
sbr_dequant(sbr, id_aac);
}
--- a/libavcodec/sbr.h 2016-09-29 19:32:39.000000000 +0200
+++ b/libavcodec/sbr.h 2016-12-09 11:02:19.404321390 +0100
@@ -112,6 +112,7 @@
typedef struct {
int sample_rate;
int start;
+ int id_aac;
int reset;
SpectrumParameters spectrum_params;
int bs_amp_res_header;
Attachment:
signature.asc
Description: PGP signature