[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ac9eeb3580fa48569f233b0ebbf6e424@imshyb02.MITRE.ORG>
Date: Sun, 4 Dec 2016 22:10:41 -0500
From: <cve-assign@...re.org>
To: <ago@...too.org>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: libav: multiple crashes from the Undefined Behavior Sanitizer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> https://blogs.gentoo.org/ago/2016/12/01/libav-multiple-crashes-from-the-undefined-behavior-sanitizer
> libav-11.8/libavcodec/mpegvideo.c:2381:65: runtime
> error: left shift of negative value -1
>
> libav-11.8/libavcodec/mpegvideo.c:2382:65: runtime
> error: left shift of negative value -1
>
> libav-11.8/libavcodec/mpegvideo.c:2383:65: runtime
> error: left shift of negative value -1
>
> Testcase:
> https://github.com/asarubbo/poc/blob/master/00036-libav-leftshift-mpegvideo
Use CVE-2016-9819.
> libav-11.8/libavcodec/mpegvideo_motion.c:323:47: runtime
> error: left shift of negative value -1
>
> libav-11.8/libavcodec/mpegvideo_motion.c:331:55: runtime
> error: left shift of negative value -1
>
> libav-11.8/libavcodec/mpegvideo_motion.c:336:55: runtime
> error: left shift of negative value -1
>
> Testcase:
> https://github.com/asarubbo/poc/blob/master/00036-libav-leftshift-mpegvideo
Use CVE-2016-9820.
> libav-11.8/libavcodec/mpegvideo_parser.c:91:65: runtime
> error: signed integer overflow: 28573696 * 400 cannot be represented in type
> 'int'
> Testcase:
> https://github.com/asarubbo/poc/blob/master/00037-libav-signedintoverflow-mpegvideo_parser
Use CVE-2016-9821.
> libav-11.8/libavcodec/mpeg12dec.c:1401:41: runtime
> error: signed integer overflow: 28573696 * 400 cannot be represented in type
> 'int'
> Testcase:
> https://github.com/asarubbo/poc/blob/master/00037-libav-signedintoverflow-mpegvideo_parser
Use CVE-2016-9822.
> libav-11.8/libavcodec/x86/mpegvideo.c:53:18: runtime
> error: index -1 out of bounds for type 'uint8_t [64]'
> Testcase:
> https://github.com/asarubbo/poc/blob/master/00038-libav-uint8_t64-outofbounds-mpegvideo
Use CVE-2016-9823.
> libav-11.8/libswscale/x86/swscale.c:189:64: runtime
> error: signed integer overflow: 65463 * 65537 cannot be represented in type
> 'int'
> Testcase:
> https://github.com/asarubbo/poc/blob/master/00039-libav-signedintoverflow-swscale_c
Use CVE-2016-9824.
> libav-11.8/libswscale/utils.c:340:30:
> runtime error: left shift of negative value -1
> Testcase:
> https://github.com/asarubbo/poc/blob/master/00040-libav-leftshift-utils_c
Use CVE-2016-9825.
> libav-11.8/libavcodec/ituh263dec.c:645:34: runtime
> error: left shift of negative value -16
> Testcase:
> https://github.com/asarubbo/poc/blob/master/00041-libav-leftshift-ituh263dec_c
Use CVE-2016-9826.
- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJYRNjAAAoJEHb/MwWLVhi2XgkP/ipJxBDzXKZk/Iw4b2AtNEWG
PN40jZo5SEEYBJWdQiFmHglJVxg4WTDanpSz6XZagWhCMf8HQnL5S1nptxv+0I9u
qX83NQ/+Ol8m0l9yX5GyLdQYJUn9va1iQeW/UPiqNjBK3JoEwU8w3ltb16PJBfFC
SocSA0SpPraNjUH53ffKGTslxYede5XESu1STFhuVfgjtGq7u9koj3faXdjQBkYl
0zxUpCnTP2kUKQLyyeQmzhYMR6alWMScgTVZIxz9nzW6Zx8BuInty7lwd0MOINn4
KHeS+DWUF9ZpL90e6mj38BRwxCcwm97xlULpOzU9JG1nrvltx7wJNYRAQ2hFkf6j
w2EEnq6zKQg2kVQLpOAh3Ri9GsugpPikCGbhAS7a7gL5en7SysRtEyVd8d4IvwTN
V/wg1qRnfYq8m0KBAhP5kGY9qEsXtlPRUckFJIrcWpFApi9+7nPSYC9v8XqroTXV
sHwwqs4zmvCy69fI34eC6oBg6OGNPlcVP90js+bVZF+LIGl5DQuswy4A1hgFXBaN
ZGw/Es8Cum2bg6CB+Rmwor2cbhmetEm2FURwyhXJmriwux0wbCMLEKExdsAtW03h
n/+UUPuBnUdv1vctKQcusL6GJY3fzeCMPj6xuGhSeJsIuDqTdvpBE+I9UzDIT/1v
VT5T+x2OdJWy13bvi+9J
=Nmrb
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
