Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

Reinhard Tartler siretart at tauware.de
Sat Oct 31 08:12:16 UTC 2009

Marc Deslauriers <marc.deslauriers at canonical.com> writes:

> On Thu, 2009-10-15 at 13:03 +0200, Reinhard Tartler wrote:
> <snip>
>> of chromium patches and managed to locate most patches in ffmpeg trunk
>> Patches that I couldn't find upstream include:
>> 09_mov_stsz_int_oflow.patch
>> 32_mov_stream_index.patch
>> 35_mov_bad_timings.patch
>> 40_ogg_missing_header.patch
>> They probably need further investigation.
> 09_mov_stsz_int_oflow.patch:
> This looks like:
> http://git.ffmpeg.org/?p=ffmpeg;a=commit;h=59a7d76f26091bb379e41e546c561d6987b2df3b
> 32_mov_stream_index.patch:
> http://git.ffmpeg.org/?p=ffmpeg;a=commit;h=83b7e34ccb8f63f24d91dfc4dd89a4971f36ce12
> http://git.ffmpeg.org/?p=ffmpeg;a=commit;h=b601744633167a1b37bc171d298872d57522400e
> 40_ogg_missing_header.patch:
> http://git.ffmpeg.org/?p=ffmpeg;a=commit;h=7fb2fe280374bcb1c41c2a8e7aa5632d18dc4279

excellent catches, they all indeed look very relevant. I've added them
to the packaging branch.

One problem, it breaks build. Therefore, I had to backport svn r18016
aka 'MOV-Support-stz2-Compact-Sample-Size-Box' to fix FTBFS. without
this patch, libavformat/mov.c won't compile, as field_size is introduced
with this commit. While this patch is strictly speaking not in scope of
an security update, it is easier to stick with upstream and backport
this patch in addition.

How to proceed now? In any case, I'll prepare an upload for lucid once
it opens. Will you prepare uploads for stable ubuntu security pockets?

@debian security team: shall I prepare an stable-security upload with
this or do you want some testing in unstable first? NB: I'm blocked with
uploading to unstable by ftp-master at .

Reinhard Tartler, KeyID 945348A4

More information about the pkg-multimedia-maintainers mailing list