Bug#401304: Patch for this RC-bug

[Andreas Barth]

tags 401304 + patch
thanks

Hi,

I have an patch - if you want, I can as well NMU it.


Cheers,
Andi

diff -ur gst-ffmpeg-0.8.7~/debian/changelog gst-ffmpeg-0.8.7/debian/changelog
--- gst-ffmpeg-0.8.7~/debian/changelog	2006-12-05 22:04:36.000000000 +0000
+++ gst-ffmpeg-0.8.7/debian/changelog	2006-12-05 22:13:32.000000000 +0000
@@ -1,3 +1,10 @@
+gst-ffmpeg (0.8.7-6.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Fix buffer overflow in 4XM code (CVE-2006-4800). Closes: #401304
+
+ -- Andreas Barth <aba at not.so.argh.org>  Tue,  5 Dec 2006 22:08:21 +0000
+
 gst-ffmpeg (0.8.7-6) unstable; urgency=low
 
   * Backport fixes from gstreamer0.10-ffmpeg 0.10.0-2.
diff -ur gst-ffmpeg-0.8.7~/gst-libs/ext/ffmpeg/libavcodec/4xm.c gst-ffmpeg-0.8.7/gst-libs/ext/ffmpeg/libavcodec/4xm.c
--- gst-ffmpeg-0.8.7~/gst-libs/ext/ffmpeg/libavcodec/4xm.c	2005-07-20 15:39:33.000000000 +0000
+++ gst-ffmpeg-0.8.7/gst-libs/ext/ffmpeg/libavcodec/4xm.c	2006-12-05 22:08:00.000000000 +0000
@@ -606,7 +606,7 @@
     int i, frame_4cc, frame_size;
 
     frame_4cc= get32(buf);
-    if(buf_size != get32(buf+4)+8){
+    if(buf_size != get32(buf+4)+8 || buf_size < 20){
         av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, get32(buf+4));
     }
 
@@ -634,6 +634,10 @@
         cfrm= &f->cfrm[i];
         
         cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE);
+        if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL
+            av_log(f->avctx, AV_LOG_ERROR, "realloc falure");
+            return -1;
+        }
         
         memcpy(cfrm->data + cfrm->size, buf+20, data_size);
         cfrm->size += data_size;
-- 
  http://home.arcor.de/andreas-barth/