Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

Reinhard Tartler siretart at tauware.de
Fri Dec 4 23:33:02 UTC 2009


Moritz Muehlenhoff <jmm at inutil.org> writes:

> Sorry, this slipped through. An update for stable-security would be very
> welcome.

Test packages (both amd64 and i386) with build logs can be found at
http://pkg-multimedia.alioth.debian.org/ffmpeg-lenny/ for now.

Please note that because lenny does *not* ship FFmpeg 0.5 but an earlier
snapshot, not all patches did apply cleanly.  I did my best to backports
all patches, but I needed to drop thee of them:

security/libavcodec/mpegaudiodec/0002-Check-data_size-in-decode_frame_mp3on4.patch
security/libavformat/mov/0003-check-stream-existence-before-assignment-fix-1222.patch
security/libavcodec/vp3/0003-Make-sure-that-all-memory-allocations-succeed.patch

The biggest problem is that I haven't tested them yet. Testers very
welcome!

If I get positive feedback, or Moritz asks me to do so, I'll of course
upload to security.debian.org immediately.

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4





More information about the pkg-multimedia-maintainers mailing list