{"id":"MGASA-2016-0018","summary":"Updated ffmpeg packages fix security vulnerabilities","details":"The update_dimensions function in libavcodec/vp8.c in FFmpeg before 2.4.12,\nas used in Google Chrome before 46.0.2490.71 and other products, relies on a\ncoefficient-partition count during multi-threaded operation, which allows\nremote attackers to cause a denial of service (race condition and memory\ncorruption) or possibly have unspecified other impact via a crafted WebM file\n(CVE-2015-6761).\n\nThe decode_ihdr_chunk function in libavcodec/pngdec.c in FFmpeg before 2.4.11\ndoes not enforce uniqueness of the IHDR (aka image header) chunk in a PNG\nimage, which allows remote attackers to cause a denial of service\n(out-of-bounds array access) or possibly have unspecified other impact via a\ncrafted image with two or more of these chunks (CVE-2015-6818).\n\nThe ff_sbr_apply function in libavcodec/aacsbr.c in FFmpeg before 2.4.11 does\nnot check for a matching AAC frame syntax element before proceeding with\nSpectral Band Replication calculations, which allows remote attackers to\ncause a denial of service (out-of-bounds array access) or possibly have\nunspecified other impact via crafted AAC data (CVE-2015-6820).\n\nThe ff_mpv_common_init function in libavcodec/mpegvideo.c in FFmpeg before\n2.4.11 does not properly maintain the encoding context, which allows remote\nattackers to cause a denial of service (invalid pointer access) or possibly\nhave unspecified other impact via crafted MPEG data (CVE-2015-6821).\n\nThe destroy_buffers function in libavcodec/sanm.c in FFmpeg before 2.4.11\ndoes not properly maintain height and width values in the video context,\nwhich allows remote attackers to cause a denial of service (segmentation\nviolation and application crash) or possibly have unspecified other impact\nvia crafted LucasArts Smush video data (CVE-2015-6822).\n\nThe allocate_buffers function in libavcodec/alac.c in FFmpeg before 2.4.11\ndoes not initialize certain context data, which allows remote attackers to\ncause a denial of service (segmentation violation) or possibly have\nunspecified other impact via crafted Apple Lossless Audio Codec (ALAC) data\n(CVE-2015-6823).\n\nThe sws_init_context function in libswscale/utils.c in FFmpeg before 2.4.11\ndoes not initialize certain pixbuf data structures, which allows remote\nattackers to cause a denial of service (segmentation violation) or possibly\nhave unspecified other impact via crafted video data (CVE-2015-6824).\n\nThe ff_frame_thread_init function in libavcodec/pthread_frame.c in FFmpeg\nbefore 2.4.11 mishandles certain memory-allocation failures, which allows\nremote attackers to cause a denial of service (invalid pointer access) or\npossibly have unspecified other impact via a crafted file, as demonstrated\nby an AVI file (CVE-2015-6825).\n\nThe ff_rv34_decode_init_thread_copy function in libavcodec/rv34.c in FFmpeg\nbefore 2.4.11 does not initialize certain structure members, which allows\nremote attackers to cause a denial of service (invalid pointer access) or\npossibly have unspecified other impact via crafted RV30 or RV40 RealVideo\ndata (CVE-2015-6826).\n\nThe ljpeg_decode_yuv_scan function in libavcodec/mjpegdec.c in FFmpeg before\n2.4.12 omits certain width and height checks, which allows remote attackers\nto cause a denial of service (out-of-bounds array access) or possibly have\nunspecified other impact via crafted MJPEG data (CVE-2015-8216).\n\nThe init_tile function in libavcodec/jpeg2000dec.c in FFmpeg before 2.4.12\ndoes not enforce minimum-value and maximum-value constraints on tile\ncoordinates, which allows remote attackers to cause a denial of service\n(out-of-bounds array access) or possibly have unspecified other impact via\ncrafted JPEG 2000 data (CVE-2015-8219).\n\nThe jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in FFmpeg\nbefore 2.4.12 does not enforce uniqueness of the SIZ marker in a JPEG 2000\nimage, which allows remote attackers to cause a denial of service\n(out-of-bounds heap-memory access) or possibly have unspecified other impact\nvia a crafted image with two or more of these markers (CVE-2015-8363).\n\nInteger overflow in the ff_ivi_init_planes function in libavcodec/ivi.c in\nFFmpeg before 2.4.12 allows remote attackers to cause a denial of service\n(out-of-bounds heap-memory access) or possibly have unspecified other impact\nvia crafted image dimensions in Indeo Video Interactive data (CVE-2015-8364).\n\nThe smka_decode_frame function in libavcodec/smacker.c in FFmpeg before\n2.4.12 does not verify that the data size is consistent with the number of\nchannels, which allows remote attackers to cause a denial of service\n(out-of-bounds array access) or possibly have unspecified other impact via\ncrafted Smacker data (CVE-2015-8365).\n\nThe h264_slice_header_init function in libavcodec/h264_slice.c in FFmpeg\nbefore 2.4.12 does not validate the relationship between the number of\nthreads and the number of slices, which allows remote attackers to cause a\ndenial of service (out-of-bounds array access) or possibly have unspecified\nother impact via crafted H.264 data (CVE-2015-8661).\n\nThe ff_dwt_decode function in libavcodec/jpeg2000dwt.c in FFmpeg before\n2.4.12 does not validate the number of decomposition levels before proceeding\nwith Discrete Wavelet Transform decoding, which allows remote attackers to\ncause a denial of service (out-of-bounds array access) or possibly have\nunspecified other impact via crafted JPEG 2000 data (CVE-2015-8662).\n\nThe ff_get_buffer function in libavcodec/utils.c in FFmpeg before 2.4.12\npreserves width and height values after a failure, which allows remote\nattackers to cause a denial of service (out-of-bounds array access) or\npossibly have unspecified other impact via a crafted .mov file\n(CVE-2015-8663).\n","modified":"2026-04-16T06:25:42.232647286Z","published":"2016-01-15T01:52:38Z","upstream":["CVE-2015-6761","CVE-2015-6818","CVE-2015-6820","CVE-2015-6821","CVE-2015-6822","CVE-2015-6823","CVE-2015-6824","CVE-2015-6825","CVE-2015-6826","CVE-2015-8216","CVE-2015-8219","CVE-2015-8363","CVE-2015-8364","CVE-2015-8365","CVE-2015-8661","CVE-2015-8662","CVE-2015-8663"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2016-0018.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=17257"},{"type":"WEB","url":"http://git.videolan.org/?p=ffmpeg.git;a=shortlog;h=n2.4.12"},{"type":"WEB","url":"http://ffmpeg.org/download.html"},{"type":"WEB","url":"http://ffmpeg.org/security.html"}],"affected":[{"package":{"name":"ffmpeg","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/ffmpeg?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.12-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0018.json"}},{"package":{"name":"ffmpeg","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/ffmpeg?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.12-1.mga5.tainted"}]}],"ecosystem_specific":{"section":"tainted"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0018.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}