Re: CVE Request: ffmpeg

[Marc Deslauriers <marc.deslauriers () canonical com>]

On Sun, 2011-12-04 at 11:36 -0700, Kurt Seifried wrote:
> On 12/04/2011 04:06 AM, Marc Deslauriers wrote:
> > This doesn't seem to have a CVE:
> >
> > An error within the "svq1_decode_frame()" function
> > (libavcodec/svq1dec.c) can be exploited to corrupt memory.
> >
> > http://git.videolan.org/?p=ffmpeg.git;a=commit;h=4931c8f0f10bf8dedcf626104a6b85bfefadc6f2
> >
> > http://secunia.com/advisories/46888/
> > http://archives.neohapsis.com/archives/bugtraq/2011-11/0148.html
> The secunia page lists 3 CVE's and 4 issues with no mappings to CVE's to
> issues that I can see. Can you reply with the mapping information that
> you used to determine that this issue was not assigned a CVE (as opposed
> to one of the other issues)?. Also can you confirm or proove that these
> 4 issues are all separate and that two of them have not been merged
> (thus obviating any need for a third CVE)? Thanks in advance. If anyone
> from Secunia is on this list I'd love to hear from you/any comments on
> this issue are more then welcome.

Sure!

The 3 other issues got CVEs assigned here:

http://marc.info/?l=oss-security&m=132205107221272&w=2

CVE-2011-4351 - An error within the QDM2 decoder (libavcodec/qdm2.c) can
be exploited to cause a buffer overflow.

Seems to be the following commits in libavcodec/qdm2.c (at least the
last one, the others seem to be a bit older):
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=491eaf35ae1f9b619441314bec33766e31580184
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=291d74a46d32183653db07818c7b3407fd50a288
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=7d49f79f1cd47783a963a757a6563b9cac29db62
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=14db3af4f26dad8e6ddf2147e96ccc710952ad4d
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=895d258e9ba065d035dd30dbc622423031f0185c

Last commit says this fixes NGS00144

CVE-2011-4352 - An integer overflow error within the "vp3_dequant()"
function (libavcodec/vp3.c) can be exploited to cause a buffer overflow.

Seems to be the following commit in libavcodec/vp3.c:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=eef5c35b4352ec49ca41f6198bee8a976b1f81e5

Commit says this fixes NGS00145

CVE-2011-4353 - Errors within the "av_image_fill_pointers()", the
"vp5_parse_coeff()", and the "vp6_parse_coeff()" functions can be
exploited to trigger out-of-bounds reads.

Seems to be the following commits in libavutil/imgutils.c,
libavcodec/vp5.c, libavcodec/vp6.c:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=c693aa6f71b4f539cf9df67ba42f4b1932981687
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=bb4b0ad83b13c3af57675e80163f3f333adef96f
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=e0966eb140b3569b3d6b5b5008961944ef229c06


So, the fourth issue, which is fixed by the following commit that
matches the description doesn't seem to have a CVE number, and doesn't
seem to be related to the others:

"An error within the "svq1_decode_frame()" function
(libavcodec/svq1dec.c) can be exploited to corrupt memory."

http://git.videolan.org/?p=ffmpeg.git;a=commit;h=4931c8f0f10bf8dedcf626104a6b85bfefadc6f2

Commit says it fixes NGS00148.

Marc.