Site Navigation

Date:      Mon,  9 Mar 2009 00:20:58 +0300 (MSK)
From:      Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   ports/132434: [vuxml] [patch] multimedia/ffmpeg: fix TKADV2009-004, user-controlled memory overwrite
Message-ID:  <20090308212058.0376DB806B@phoenix.codelabs.ru>
Resent-Message-ID: <200903082130.n28LU0BD060599@freefall.freebsd.org>

---

next in thread | raw e-mail | index | archive | help

---

>Number:         132434
>Category:       ports
>Synopsis:       [vuxml] [patch] multimedia/ffmpeg: fix TKADV2009-004, user-controlled memory overwrite
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 08 21:30:00 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-STABLE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.1-STABLE amd64

>Description:

Tobias Klein from TrapKit found that FFmpeg's 4X movied decoder is prone
to the user-controlled memory overwrite vulnerablity.

>How-To-Repeat:

http://trapkit.de/advisories/TKADV2009-004.txt

>Fix:

The following patch adds almost-upstream patch for FFmpeg (modulo
trivial modifications since snapshot from 2008-07-27).  Works fine
for my setup when FFmpeg is used as the movie transcoder.

--- fix-tkadv2009-004.diff begins here ---
>From 1d8af9e70b4060787039c00464341aa8e6cc1c5c Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Sun, 8 Mar 2009 23:42:20 +0300
 overwrite possibility

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 multimedia/ffmpeg/Makefile                  |    2 +-
 multimedia/ffmpeg/files/patch-tkadv2009-004 |   22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletions(-)
 create mode 100644 multimedia/ffmpeg/files/patch-tkadv2009-004

diff --git a/multimedia/ffmpeg/Makefile b/multimedia/ffmpeg/Makefile
index 75a5f06..0b6fadb 100644
--- a/multimedia/ffmpeg/Makefile
+++ b/multimedia/ffmpeg/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	ffmpeg
 DISTVERSION=	2008-07-27
-PORTREVISION=	8
+PORTREVISION=	9
 CATEGORIES=	multimedia audio ipv6 net
 MASTER_SITES=	${MASTER_SITE_LOCAL}
 MASTER_SITE_SUBDIR=	ahze
diff --git a/multimedia/ffmpeg/files/patch-tkadv2009-004 b/multimedia/ffmpeg/files/patch-tkadv2009-004
new file mode 100644
index 0000000..27e4d5c
--- /dev/null
+++ b/multimedia/ffmpeg/files/patch-tkadv2009-004
@@ -0,0 +1,22 @@
+Patch for TKADV2009-004, type conversion vulnerability in 4X
+movie parser
+
+Modified version of: http://git.ffmpeg.org/?p=ffmpeg;a=commitdiff;h=72e715fb798f2cb79fd24a6d2eaeafb7c6eeda17#patch1
+
+--- libavformat/4xm.c.orig	2008-06-03 20:20:54.000000000 +0400
++++ libavformat/4xm.c	2009-03-08 23:38:44.000000000 +0300
+@@ -163,10 +163,12 @@
+                 return AVERROR_INVALIDDATA;
+             }
+             current_track = AV_RL32(&header[i + 8]);
++            if((unsigned)current_track >= UINT_MAX / sizeof(AudioTrack) - 1){
++                av_log(s, AV_LOG_ERROR, "current_track too large\n");
++                return -1;
++            }
+             if (current_track + 1 > fourxm->track_count) {
+                 fourxm->track_count = current_track + 1;
+-                if((unsigned)fourxm->track_count >= UINT_MAX / sizeof(AudioTrack))
+-                    return -1;
+                 fourxm->tracks = av_realloc(fourxm->tracks,
+                     fourxm->track_count * sizeof(AudioTrack));
+                 if (!fourxm->tracks) {
-- 
1.6.1.3
--- fix-tkadv2009-004.diff ends here ---

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="e5e6fb01-0c21-11de-b26a-001fc66e7203">
    <topic>ffmpeg -- attacker-controlled memory overwrite vulnerability in 4X movie parser</topic>
    <affects>
      <package>
        <name>ffmpeg</name>
        <range><lt>2008.07.27_9</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">;
        <p>Tobias Klein reports:</p>
        <blockquote
          cite="http://trapkit.de/advisories/TKADV2009-004.txt">;
          <p>FFmpeg contains a type conversion vulnerability while
          parsing malformed 4X movie files. The vulnerability may be
          exploited by a (remote) attacker to execute arbitrary code in
          the context of FFmpeg or an application using the FFmpeg
          library.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2009-0385</cvename>
      <bid>33502</bid>
      <url>http://trapkit.de/advisories/TKADV2009-004.txt</url>;
    </references>
    <dates>
      <discovery>2009-01-28</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090308212058.0376DB806B>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact