From 42f0a6696889ba275aa2087b57fa99f7a97033a0 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 5 Jan 2012 21:40:18 +0100 Subject: [PATCH 1/4] vorbisdec: Fix decoding bug with channel handling Fixes Bug: #191 Chromium Bug: #101458 CVE-2011-3895 Signed-off-by: Reinhard Tartler (cherry picked from commit e6d527ff729e42d80e4756cab779ff4ad693631b) Signed-off-by: Reinhard Tartler (cherry picked from commit 97f23c72a3815739ab28e297ce60f943349f6939) Conflicts: libavcodec/vorbis_dec.c --- libavcodec/vorbis_dec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c index f8067db41c..4910860167 100644 --- a/libavcodec/vorbis_dec.c +++ b/libavcodec/vorbis_dec.c @@ -656,7 +656,7 @@ static int vorbis_parse_setup_hdr_residues(vorbis_context *vc) res_setup->partition_size = get_bits(gb, 24) + 1; /* Validations to prevent a buffer overflow later. */ if (res_setup->begin>res_setup->end || - res_setup->end>vc->blocksize[1] / (res_setup->type == 2 ? 1 : 2) || + res_setup->end > (res_setup->type == 2 ? vc->avccontext->channels : 1) * vc->blocksize[1] / 2 || (res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) { av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %"PRIdFAST16", %"PRIdFAST32", %"PRIdFAST32", %"PRIdFAST32", %"PRIdFAST32"\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1] / 2); return -1; @@ -1473,6 +1473,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) uint_fast8_t res_num = 0; int_fast16_t retlen = 0; float fadd_bias = vc->add_bias; + int ch_left = vc->audio_channels; if (get_bits1(gb)) { av_log(vc->avccontext, AV_LOG_ERROR, "Not a Vorbis I audio packet.\n"); @@ -1546,9 +1547,14 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) } } residue = &vc->residues[mapping->submap_residue[i]]; + if (ch_left < ch) { + av_log(vc->avccontext, AV_LOG_ERROR, "Too many channels in vorbis_floor_decode.\n"); + return -1; + } vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, blocksize/2); ch_res_ptr += ch * blocksize / 2; + ch_left -= ch; } // Inverse coupling From a5e0afe3c936220a793db0cdae04bb228f1904e0 Mon Sep 17 00:00:00 2001 From: Chris Evans Date: Thu, 5 Jan 2012 21:25:41 +0100 Subject: [PATCH 2/4] vorbis: An additional defense in the Vorbis codec. Fixes Bug: #190 Chromium Bug: #100543 Related to CVE-2011-3893 Signed-off-by: Reinhard Tartler (cherry picked from commit afb2aa537954db537d54358997b68f46561fd5a7) Signed-off-by: Reinhard Tartler (cherry picked from commit b0283ccb9e8945ce9e56f7c6ba0c676e7179d7a3) Conflicts: libavcodec/vorbis_dec.c --- libavcodec/vorbis_dec.c | 38 ++++++++++++++++++++++++++++---------- 1 file changed, 28 insertions(+), 10 deletions(-) diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c index 4910860167..e5ad4aaae3 100644 --- a/libavcodec/vorbis_dec.c +++ b/libavcodec/vorbis_dec.c @@ -1262,6 +1262,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, uint_fast8_t *do_not_decode, float *vec, uint_fast16_t vlen, + unsigned ch_left, int vr_type) { GetBitContext *gb = &vc->gb; @@ -1273,6 +1274,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, uint_fast8_t ch_used; uint_fast8_t i,j,l; uint_fast16_t k; + unsigned max_output = (ch - 1) * vlen; if (vr_type == 2) { for (j = 1; j < ch; ++j) @@ -1280,8 +1282,15 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, if (do_not_decode[0]) return 0; ch_used = 1; + max_output += vr->end / ch; } else { ch_used = ch; + max_output += vr->end; + } + + if (max_output > ch_left * vlen) { + av_log(vc->avccontext, AV_LOG_ERROR, "Insufficient output buffer\n"); + return -1; } AV_DEBUG(" residue type 0/1/2 decode begin, ch: %d cpc %d \n", ch, c_p_c); @@ -1403,14 +1412,16 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, static inline int vorbis_residue_decode(vorbis_context *vc, vorbis_residue *vr, uint_fast8_t ch, uint_fast8_t *do_not_decode, - float *vec, uint_fast16_t vlen) + float *vec, uint_fast16_t vlen, + unsigned ch_left) + { if (vr->type == 2) - return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 2); + return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 2); else if (vr->type == 1) - return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 1); + return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 1); else if (vr->type == 0) - return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 0); + return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 0); else { av_log(vc->avccontext, AV_LOG_ERROR, " Invalid residue type while residue decode?! \n"); return -1; @@ -1473,7 +1484,8 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) uint_fast8_t res_num = 0; int_fast16_t retlen = 0; float fadd_bias = vc->add_bias; - int ch_left = vc->audio_channels; + unsigned ch_left = vc->audio_channels; + unsigned vlen; if (get_bits1(gb)) { av_log(vc->avccontext, AV_LOG_ERROR, "Not a Vorbis I audio packet.\n"); @@ -1492,11 +1504,12 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) blockflag = vc->modes[mode_number].blockflag; blocksize = vc->blocksize[blockflag]; + vlen = blocksize / 2; if (blockflag) skip_bits(gb, 2); // previous_window, next_window - memset(ch_res_ptr, 0, sizeof(float) * vc->audio_channels * blocksize / 2); //FIXME can this be removed ? - memset(ch_floor_ptr, 0, sizeof(float) * vc->audio_channels * blocksize / 2); //FIXME can this be removed ? + memset(ch_res_ptr, 0, sizeof(float) * vc->audio_channels * vlen); //FIXME can this be removed ? + memset(ch_floor_ptr, 0, sizeof(float) * vc->audio_channels * vlen); //FIXME can this be removed ? // Decode floor @@ -1516,7 +1529,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) return -1; } no_residue[i] = ret; - ch_floor_ptr += blocksize / 2; + ch_floor_ptr += vlen; } // Nonzero vector propagate @@ -1533,6 +1546,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) for (i = 0; i < mapping->submaps; ++i) { vorbis_residue *residue; uint_fast8_t ch = 0; + int ret; for (j = 0; j < vc->audio_channels; ++j) { if ((mapping->submaps == 1) || (i == mapping->mux[j])) { @@ -1551,9 +1565,13 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) av_log(vc->avccontext, AV_LOG_ERROR, "Too many channels in vorbis_floor_decode.\n"); return -1; } - vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, blocksize/2); + if (ch) { + ret = vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, vlen, ch_left); + if (ret < 0) + return ret; + } - ch_res_ptr += ch * blocksize / 2; + ch_res_ptr += ch * vlen; ch_left -= ch; } From 7efa13b4b49128f9660d2c4a6b9aa5da357b4720 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Tue, 10 Jan 2012 21:02:32 +0100 Subject: [PATCH 3/4] Bump version number for 0.6.5 release. --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index d2b13eb644..ef5e445445 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.6.4 +0.6.5 From 62c473934822afd317dfef27754a0ff71f58ce2a Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Tue, 10 Jan 2012 21:03:20 +0100 Subject: [PATCH 4/4] Release notes and changelog for 0.6.5 --- Changelog | 10 ++++++++++ RELEASE | 16 ++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/Changelog b/Changelog index 7e9ce5dc15..11a554b28c 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,16 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.6.5: +- vorbis: An additional defense in the Vorbis codec. (CVE-2011-3895) +- vorbisdec: Fix decoding bug with channel handling. +- matroskadec: Fix a bug where a pointer was cached to an array that might + later move due to a realloc(). (CVE-2011-3893) +- vorbis: Avoid some out-of-bounds reads. (CVE-2011-3893) +- vp3: fix oob read for negative tokens and memleaks on error, (CVE-2011-3892) +- vp3: fix streams with non-zero last coefficient. + + version 0.6.4: - 4xm: Add a check in decode_i_frame to prevent buffer overreads - wma: initialize prev_block_len_bits, next_block_len_bits, and block_len_bits. diff --git a/RELEASE b/RELEASE index 8193b2877b..cd18270ca4 100644 --- a/RELEASE +++ b/RELEASE @@ -176,3 +176,19 @@ Sierra VMD decoder CVE-2011-4364, and a safety fix in the svq1 decoder Distributors and system integrators are encouraged to update and share their patches against this branch. For a full list of changes please see the Changelog file. + + +* 0.6.5 + +General notes +------------- + +This mostly maintenance-only release that addresses a number a number of +bugs such as security and compilation issues that have been brought to +our attention. Among other (rather minor) fixes, this release features +fixes for the VP3 decoder (CVE-2011-3892), vorbis decoder, and matroska +demuxer (CVE-2011-3893 and CVE-2011-3895). + +Distributors and system integrators are encouraged +to update and share their patches against this branch. For a full list +of changes please see the Changelog file.