FFmpeg 2.1.3 TAK remote DoS

2014.03.02

Credit: Mateusz Jurczyk and Gynvael Coldwind

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2014-2097

CWE: N/A

CVSS Base Score: 6.8/10

Impact Subscore: 6.4/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

avcodec/takdec: always check bits_per_raw_sample

Fixes out of array access
Fixes: asan_heap-oob_19c7a94_6470_cov_1453611734_luckynight-partial.tak
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 

index fcbe10a..86ca3ac 100644 (file)
--- a/libavcodec/takdec.c
+++ b/libavcodec/takdec.c
@@ -721,11 +721,9 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data,
         return AVERROR_INVALIDDATA;
     }
 
-    if (s->ti.bps != avctx->bits_per_raw_sample) {
-        avctx->bits_per_raw_sample = s->ti.bps;
-        if ((ret = set_bps_params(avctx)) < 0)
-            return ret;
-    }
+    avctx->bits_per_raw_sample = s->ti.bps;
+    if ((ret = set_bps_params(avctx)) < 0)
+        return ret;
     if (s->ti.sample_rate != avctx->sample_rate) {
         avctx->sample_rate = s->ti.sample_rate;
         set_sample_rate_params(avctx);

References:

http://git.videolan.org/?p=ffmpeg.git;a=commit;h=f58eab151214d2d35ff0973f2b3e51c5eb372da4

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}