r1349 - in /unstable/vlc/debian: changelog control patches/405-CVE-2008-3732.diff patches/406-live555-crash.diff patches/series

xtophe-guest at users.alioth.debian.org xtophe-guest at users.alioth.debian.org
Thu Aug 21 20:55:59 UTC 2008 

Author: xtophe-guest
Date: Thu Aug 21 20:55:59 2008
New Revision: 1349

URL: http://svn.debian.org/wsvn/pkg-multimedia/?sc=1&rev=1349
Log:
 * Fix integer overflow in TTA (CVE-2008-3732) (405-CVE-2008-3732.diff)
  * Fix crashes in Live555 (406-live555-crash.diff)
  * Switch to libdc1394-22-dev (Closes: #484695)

Added:
    unstable/vlc/debian/patches/405-CVE-2008-3732.diff
    unstable/vlc/debian/patches/406-live555-crash.diff
Modified:
    unstable/vlc/debian/changelog
    unstable/vlc/debian/control
    unstable/vlc/debian/patches/series

Modified: unstable/vlc/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/changelog?rev=1349&op=diff
==============================================================================
--- unstable/vlc/debian/changelog (original)
+++ unstable/vlc/debian/changelog Thu Aug 21 20:55:59 2008
@@ -1,3 +1,11 @@
+vlc (0.8.6.h-2) unstable; urgency=high
+
+  * Fix integer overflow in TTA (CVE-2008-3732) (405-CVE-2008-3732.diff)
+  * Fix crashes in Live555 (406-live555-crash.diff)
+  * Switch to libdc1394-22-dev (Closes: #484695) 
+
+ -- Christophe Mutricy <xtophe at videolan.org>  Thu, 21 Aug 2008 20:19:39 +0100
+
 vlc (0.8.6.h-1) unstable; urgency=high
 
   [ Christophe Mutricy ]

Modified: unstable/vlc/debian/control
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/control?rev=1349&op=diff
==============================================================================
--- unstable/vlc/debian/control (original)
+++ unstable/vlc/debian/control Thu Aug 21 20:55:59 2008
@@ -68,7 +68,7 @@
                zlib1g-dev,
                libavc1394-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386],
                libraw1394-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386],
-               libdc1394-13-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386],
+               libdc1394-22-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386],
                libxosd-dev,
                libtwolame-dev (>= 0.3.8),
                libspeex-dev,

Added: unstable/vlc/debian/patches/405-CVE-2008-3732.diff
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/patches/405-CVE-2008-3732.diff?rev=1349&op=file
==============================================================================
--- unstable/vlc/debian/patches/405-CVE-2008-3732.diff (added)
+++ unstable/vlc/debian/patches/405-CVE-2008-3732.diff Thu Aug 21 20:55:59 2008
@@ -1,0 +1,141 @@
+diff --git a/modules/demux/tta.c b/modules/demux/tta.c
+index e400908..eede5bb 100644
+--- a/modules/demux/tta.c
++++ b/modules/demux/tta.c
+@@ -60,10 +60,10 @@ struct demux_sys_t
+     es_out_id_t *p_es;
+ 
+     /* */
+-    int      i_totalframes;
+-    int      i_currentframe;
++    uint32_t i_totalframes;
++    uint32_t i_currentframe;
+     uint32_t *pi_seektable;
+-    int      i_datalength;
++    uint32_t i_datalength;
+     int      i_framelength;
+ 
+     /* */
+@@ -81,10 +81,11 @@ static int Open( vlc_object_t * p_this )
+     es_format_t fmt;
+     uint8_t     *p_peek;
+     uint8_t     p_header[22];
+-    uint8_t     *p_seektable;
+-    int         i_seektable_size = 0, i;
++    uint8_t     *p_fullheader;
++    int         i_seektable_size = 0;
+     //char        psz_info[4096];
+     //module_t    *p_id3;
++    uint32_t    i;
+ 
+     if( stream_Peek( p_demux->s, &p_peek, 4 ) < 4 )
+         return VLC_EGENERIC;
+@@ -94,7 +95,7 @@ static int Open( vlc_object_t * p_this )
+         if( !p_demux->b_force ) return VLC_EGENERIC;
+ 
+         /* User forced */
+-        msg_Err( p_demux, "this doesn't look like a flac stream, "
++        msg_Err( p_demux, "this doesn't look like a true-audio stream, "
+                  "continuing anyway" );
+     }
+ 
+@@ -106,11 +107,22 @@ static int Open( vlc_object_t * p_this )
+     p_demux->pf_control = Control;
+     p_demux->p_sys = p_sys = malloc( sizeof( demux_sys_t ) );
+     
++    if( !p_sys )
++        return VLC_ENOMEM;
++
++    p_sys->pi_seektable = NULL;
++
+     /* Read the metadata */
+     es_format_Init( &fmt, AUDIO_ES, VLC_FOURCC( 'T', 'T', 'A', '1' ) );
+     fmt.audio.i_channels = GetWLE( &p_header[6] );
+     fmt.audio.i_bitspersample = GetWLE( &p_header[8] );
+     fmt.audio.i_rate = GetDWLE( &p_header[10] );
++    if( fmt.audio.i_rate == 0 || /* Avoid divide by 0 */
++        fmt.audio.i_rate > ( 1 << 20 ) /* Avoid i_framelength overflow */ )
++    {
++        msg_Warn( p_demux, "Wrong sample rate" );
++        goto error;
++    }
+ 
+     p_sys->i_datalength = GetDWLE( &p_header[14] );
+     p_sys->i_framelength = TTA_FRAMETIME * fmt.audio.i_rate;
+@@ -118,25 +130,36 @@ static int Open( vlc_object_t * p_this )
+     p_sys->i_totalframes = p_sys->i_datalength / p_sys->i_framelength + 
+                           ((p_sys->i_datalength % p_sys->i_framelength) ? 1 : 0);
+     p_sys->i_currentframe = 0;
++    if( p_sys->i_totalframes > (1 << 29))
++        goto error;
+ 
+     i_seektable_size = sizeof(uint32_t)*p_sys->i_totalframes;
+-    p_seektable = (uint8_t *)malloc( i_seektable_size );
+-    stream_Read( p_demux->s, p_seektable, i_seektable_size );
+-    p_sys->pi_seektable = (uint32_t *)malloc(i_seektable_size);
+ 
++    /* Store the header and Seektable for avcodec */
++    fmt.i_extra = 22 + i_seektable_size + 4;
++    fmt.p_extra = p_fullheader = malloc( fmt.i_extra );
++    if( !p_fullheader )
++        goto error;
++
++    memcpy( p_fullheader, p_header, 22 );
++    p_fullheader += 22;
++    if( stream_Read( p_demux->s, p_fullheader, i_seektable_size )
++             != i_seektable_size )
++        goto error;
++
++    p_sys->pi_seektable = calloc( p_sys->i_totalframes, sizeof(uint32_t) );
++    if( !p_sys->pi_seektable )
++        goto error;
+     for( i = 0; i < p_sys->i_totalframes; i++ )
+-        p_sys->pi_seektable[i] = GetDWLE( &p_seektable[i*4] );
+-
+-    stream_Read( p_demux->s, NULL, 4 ); /* CRC */
++    {
++        p_sys->pi_seektable[i] = GetDWLE( p_fullheader );
++        p_fullheader += 4;
++    }
+ 
+-    /* Store the header and Seektable for avcodec */
+-    fmt.i_extra = 22 + (p_sys->i_totalframes * 4) + 4;
+-    fmt.p_extra = malloc( fmt.i_extra );
+-    memcpy( fmt.p_extra, p_header, 22 );
+-    memcpy( fmt.p_extra+22, p_seektable, fmt.i_extra -22 );
++    stream_Read( p_demux->s, p_fullheader, 4 ); /* CRC */
++    p_fullheader += 4;
+ 
+     p_sys->p_es = es_out_Add( p_demux->out, &fmt );
+-    free( p_seektable );
+     p_sys->i_start = stream_Tell( p_demux->s );
+     
+ #if 0
+@@ -152,6 +175,10 @@ static int Open( vlc_object_t * p_this )
+         p_sys->p_meta = vlc_meta_New();
+ #endif
+     return VLC_SUCCESS;
++error:
++    es_format_Clean( &fmt );
++    Close( p_this );
++    return VLC_EGENERIC;
+ }
+ 
+ /*****************************************************************************
+@@ -162,6 +189,7 @@ static void Close( vlc_object_t * p_this )
+     demux_t        *p_demux = (demux_t*)p_this;
+     demux_sys_t    *p_sys = p_demux->p_sys;
+ 
++    free( p_sys->pi_seektable );
+     free( p_sys );
+ }
+ 
+@@ -221,7 +249,7 @@ static int Control( demux_t *p_demux, int i_query, va_list args )
+             if( i64 > 0 )
+             {
+                 int64_t tmp = 0;
+-                int     i;
++                uint32_t i;
+                 for( i=0; i < p_sys->i_totalframes && tmp+p_sys->pi_seektable[i] < i64; i++)
+                 {
+                     tmp += p_sys->pi_seektable[i];

Added: unstable/vlc/debian/patches/406-live555-crash.diff
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/patches/406-live555-crash.diff?rev=1349&op=file
==============================================================================
--- unstable/vlc/debian/patches/406-live555-crash.diff (added)
+++ unstable/vlc/debian/patches/406-live555-crash.diff Thu Aug 21 20:55:59 2008
@@ -1,0 +1,28 @@
+diff --git a/modules/demux/live555.cpp b/modules/demux/live555.cpp
+index 3c75243..90040d3 100644
+--- a/modules/demux/live555.cpp
++++ b/modules/demux/live555.cpp
+@@ -829,7 +829,8 @@ describe:
+         else
+         {
+             const char *psz_tmp = strstr( psz_error, "RTSP" );
+-            sscanf( psz_tmp, "RTSP/%*s%3u", &i_code );
++            if( psz_tmp )
++                sscanf( psz_tmp, "RTSP/%*u.%*u %3u", &i_code );
+         }
+         msg_Dbg( p_demux, "DESCRIBE failed with %d: [%s]", i_code, psz_error );
+ 
+@@ -869,13 +870,6 @@ describe:
+             p_sys->rtsp = NULL;
+             goto createnew;
+         }
+-        else
+-        {
+-            msg_Dbg( p_demux, "connection timeout, retrying" );
+-            if( p_sys->rtsp ) RTSPClient::close( p_sys->rtsp );
+-            p_sys->rtsp = NULL;
+-            goto createnew;
+-        }
+         i_ret = VLC_EGENERIC;
+     }
+ 

Modified: unstable/vlc/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/patches/series?rev=1349&op=diff
==============================================================================
--- unstable/vlc/debian/patches/series (original)
+++ unstable/vlc/debian/patches/series Thu Aug 21 20:55:59 2008
@@ -8,3 +8,5 @@
 200_osdmenu_paths.diff
 300_manpage_syntax.diff
 401-CVE-2008-2430.diff
+405-CVE-2008-3732.diff
+406-live555-crash.diff

More information about the pkg-multimedia-commits mailing list