[FFmpeg-devel] Security issues?

Michael Niedermayer michaelni
Tue Sep 22 21:50:28 CEST 2009

On Tue, Sep 22, 2009 at 08:09:08PM +0200, Michael Niedermayer wrote:
> Hi
> lars has mailed me the following 2 links
> http://www.heise.de/newsticker/Sicherheitsluecken-in-VLC-und-FFmpeg--/meldung/145655
> http://secunia.com/advisories/36805/

another issue in vorbis_dec.c

        for(j=0;j<mapping_setup->submaps;++j) {
            skip_bits(gb, 8); // FIXME check?

            mapping_setup->submap_floor[j]=get_bits(gb, 8);
            mapping_setup->submap_residue[j]=get_bits(gb, 8);

these 2 arent being checked and then used as index into an array
from where a function ptr is used:
        vorbis_floor *floor;
        if (mapping->submaps>1) {
        } else {

        no_residue[i]=floor->decode(vc, &floor->data, ch_floor_ptr);
the size of that array seems to be just:
vc->floors=av_mallocz(vc->floor_count * sizeof(vorbis_floor));

chromes patch for it:

i suggest this one should be applied (after someone reviewed it)

Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

In a rich man's house there is no place to spit but his face.
-- Diogenes of Sinope
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090922/6898720a/attachment.pgp>

More information about the ffmpeg-devel mailing list