Multiple vulnerabilities have been reported in FFmpeg, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system.

1) Errors when processing MKV and Vorbis files can be exploited to cause an out-of-bounds read.

For more information see vulnerability #3 in:
SA46815

2) An error when processing Vorbis files can be exploited to cause a heap-based buffer overflow.

For more information see vulnerability #5 in:
SA46815

3) An error within the "process_audio_header_eacs()" function (libavformat/electronicarts.c) can be exploited to cause a division by zero via e.g. specially crafted TGV files.

4) An error within the "ff_pnm_decode_header()" function (libavcodec/pnm.c) can be exploited to cause a division by zero via e.g. specially crafted PAM files.

5) An error within the "decode_band_types()" function (libavcodec/aacdec.c) can be exploited to cause an infinite loop via e.g. specially crafted of PCM files.

6) An error within the "load_ipmovie_packet()" function (libavformat/ipmovie.c) can be exploited to cause a division by zero via e.g. specially crafted MVE files.

7) An error within the "decode_slice_thread()" function (libavcodec/proresdec2.c) can be exploited to cause a crash due to an out-of-bounds read via e.g. specially crafted MOV files.

8) Errors within the "mpeg1_decode_sequence()" and "vcr2_init_sequence()" functions (libavcodec/mpeg12.c) can be exploited to cause a crash via e.g. specially crafted MPEG2 TS files.

9) A NULL-pointer dereference error within the "parse_bintree()" function (libavcodec/indeo3.c) can be exploited to cause a crash via e.g. specially crafted MOV files.

10) An error within the "get_ur_golomb_jpegls()" function (libavcodec/golomb.h) can be exploited to cause an infinite loop via e.g. specially crafted AVI files.

11) A NULL-pointer dereference error within the "ff_ivi_output_plane()" function (libavcodec/ivi_common.c) can be exploited to cause a crash via e.g. specially crafted media files using the INDEO5 codec.

12) Errors within the handling of MVE files can be exploited to cause a crash due to excessive memory consumption.

13) A NULL-pointer dereference error within the "tm2_read_stream()" function (libavcodec/truemotion2.c) can be exploited to cause a crash via e.g. specially crafted AVI files.

14) An error within the "avi_read_idx1()" function (libavformat/avidec.c) can be exploited to cause an infinite loop via e.g. specially crafted AVI files.

15) An error within the "adpcm_decode_frame()" function (libavcodec/adpcm.c) can be exploited to cause a crash via e.g. specially crafted WVE files.

16) An error within the "rl2_read_header()" function (libavformat/rl2.c) can be exploited to cause a crash due to a floating point exception.

17) A NULL-pointer dereference error within the "avpriv_mpeg4audio_get_config()" function (libavcodec/mpeg4audio.c) can be exploited to cause a crash.

18) An error within the "decodeTonalComponents()" function (libavcodec/atrac3.c) can be exploited to cause a crash.

19) An error within the "avi_read_header()" function (libavformat/avidec.c) can be exploited to cause a crash due to memory consumption via specially crafted AVI files.

20) An error within the "txd_read_header()" function (libavformat/txd.c) can be exploited to cause a crash due to memory consumption via specially crafted TXD files.

21) Errors within the processing of THP files can be exploited to cause a crash due to memory consumption.

22) An error within the "avi_read_packet()" function (libavformat/avidec.c) can be exploited to cause an infinite loop via specially crafted packages.

23) An integer overflow error within the "ff_j2k_dwt_init()" function (libavcodec/j2k_dwt.c) can be exploited to cause a heap-based buffer overflow.

24) An error within the "smacker_read_packet()" function (libavformat/smacker.c) can be exploited to cause a crash due to memory consumption via specially crafted SMK files.

25) An error within the "transcode_video()" function (ffmpeg.c) can be exploited to cause a crash via e.g. specially crafted VC1 files.

26) A boundary error within the "smka_decode_frame()" function (libavcodec/smacker.c) can be exploited to cause a crash due to out-of-bounds reads via specially crafted SMK files.

27) An error within the "ff_mov_read_stsd_entries()" function (libavformat/mov.c) can be exploited to cause an infinite loop via specially crafted MOV files.

28) An error when decoding JPEG files in lowres mode can be exploited to cause a crash via specially crafted JPEG files.

29) An error within the "sbr_qmf_synthesis()" function (libavcodec/aacsbr.c) can be exploited to cause a memory corruption via specially crafted media files.

30) An error within the "ff_h264_decode_seq_parameter_set()" function (libavcodec/h264_ps.c) can be exploited to cause a crash via e.g. specially crafted H264 files.

31) An error within the "mtv_read_header()" function (libavformat/mtv.c) can be exploited to cause a floating point exception via specially crafted MTV files.

32) Various other errors can be exploited to e.g. cause crashes due to NULL-pointer dereferences, out-of-bounds reads, floating point exceptions, integer overflows, excessive memory consumption and invalid memory frees or cause infinite loops via specially crafted media files.

Solution
Update to version 0.9.1.

Provided and/or discovered by
1, 2) Originally reported in Google Chrome by Aki Helin, OUSPG.

3, 5-15) Reported in a bug report by Oana Stratulat
4, 28) Reported in a bug report by ami_stuff
17) The vendor credits Gautam Gupta
18) cosmin
19-25, 27, 29, 30, 21) Diana Elena Muscalu
26) The vendor credits Shitiz Garg
32) Disclosed in GIT commits.

Changelog
Further details available to Secunia VIM customers

Original Advisory
http://ffmpeg.org/trac/ffmpeg/ticket/793
http://ffmpeg.org/trac/ffmpeg/ticket/837
http://ffmpeg.org/trac/ffmpeg/ticket/789
http://ffmpeg.org/trac/ffmpeg/ticket/807
http://ffmpeg.org/trac/ffmpeg/ticket/812
http://ffmpeg.org/trac/ffmpeg/ticket/809
http://ffmpeg.org/trac/ffmpeg/ticket/804
http://ffmpeg.org/trac/ffmpeg/ticket/806
http://ffmpeg.org/trac/ffmpeg/ticket/803
http://ffmpeg.org/trac/ffmpeg/ticket/801
http://ffmpeg.org/trac/ffmpeg/ticket/800
http://ffmpeg.org/trac/ffmpeg/ticket/794
http://ffmpeg.org/trac/ffmpeg/ticket/788
http://ffmpeg.org/trac/ffmpeg/ticket/780
http://ffmpeg.org/trac/ffmpeg/ticket/771
http://ffmpeg.org/trac/ffmpeg/ticket/772
http://ffmpeg.org/trac/ffmpeg/ticket/774
http://ffmpeg.org/trac/ffmpeg/ticket/775
http://ffmpeg.org/trac/ffmpeg/ticket/776
http://ffmpeg.org/trac/ffmpeg/ticket/777
http://ffmpeg.org/trac/ffmpeg/ticket/770
http://ffmpeg.org/trac/ffmpeg/ticket/768
http://ffmpeg.org/trac/ffmpeg/ticket/754
http://ffmpeg.org/trac/ffmpeg/ticket/760
http://ffmpeg.org/trac/ffmpeg/ticket/761
http://ffmpeg.org/trac/ffmpeg/ticket/758
http://ffmpeg.org/trac/ffmpeg/ticket/755

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers