Bug#509616: libavcodec51: CVE-2008-4610 possible null ptr derefence in vp3.c

[Nico Golde]

Package: libavcodec51
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libavcodec51.

CVE-2008-4610[0]:
| MPlayer allows remote attackers to cause a denial of service
| (application crash) via (1) a malformed AAC file, as demonstrated by
| lol-vlc.aac; or (2) a malformed Ogg Media (OGM) file, as demonstrated
| by lol-ffplay.ogm, different vectors than CVE-2007-6718.

It turned out that the lol-ffplay.ogm crashing mplayer is 
not a bug in mplayer but a problem in ffmpeg itself. I 
tracked this down to libavcodec/vp3.c, table->table being 
NULL causes the GET_VLC macro in bitstream.h to dereference 
a NULL ptr which then causes mplayer to crash.

Attached is a patch to fix this, I am not sure if that is 
the correct way to fix this as I have no insight on the code 
functionality itself but at least it prevents mplayer from 
crashing. So you might want to check back with upstream.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4610
    http://security-tracker.debian.net/tracker/CVE-2008-4610

-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vp3.c.patch
Type: text/x-diff
Size: 430 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20081223/fce132ce/attachment.patch 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20081223/fce132ce/attachment.pgp