r1353 - in /unstable/vlc/debian: changelog patches/407-CVE-2008-2430.diff patches/series
lool at users.alioth.debian.org
lool at users.alioth.debian.org
Fri Aug 22 16:37:02 UTC 2008
Author: lool
Date: Fri Aug 22 16:37:02 2008
New Revision: 1353
URL: http://svn.debian.org/wsvn/pkg-multimedia/?sc=1&rev=1353
Log:
SECURITY: New patch, 407-CVE-2008-2430, fixes heap-overflow in the VLC WAV
demuxer; from upstream git; CVE-2008-2430.
Added:
unstable/vlc/debian/patches/407-CVE-2008-2430.diff
Modified:
unstable/vlc/debian/changelog
unstable/vlc/debian/patches/series
Modified: unstable/vlc/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/changelog?rev=1353&op=diff
==============================================================================
--- unstable/vlc/debian/changelog (original)
+++ unstable/vlc/debian/changelog Fri Aug 22 16:37:02 2008
@@ -10,6 +10,8 @@
* Use DEB_HOST_ARCH instead of DEB_BUILD_ARCH in rules.
* Use objdump -x instead of ldd to check for links on libX11 as ldd might
resolve libvlc to the system's version if the system has libvlc installed.
+ * SECURITY: New patch, 407-CVE-2008-2430, fixes heap-overflow in the VLC WAV
+ demuxer; from upstream git; CVE-2008-2430.
-- Christophe Mutricy <xtophe at videolan.org> Thu, 21 Aug 2008 20:19:39 +0100
Added: unstable/vlc/debian/patches/407-CVE-2008-2430.diff
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/patches/407-CVE-2008-2430.diff?rev=1353&op=file
==============================================================================
--- unstable/vlc/debian/patches/407-CVE-2008-2430.diff (added)
+++ unstable/vlc/debian/patches/407-CVE-2008-2430.diff Fri Aug 22 16:37:02 2008
@@ -1,0 +1,54 @@
+diff --git a/modules/demux/wav.c b/modules/demux/wav.c
+index d0dbeff..44b2715 100644
+--- a/modules/demux/wav.c
++++ b/modules/demux/wav.c
+@@ -104,7 +104,8 @@ static int Open( vlc_object_t * p_this )
+ demux_sys_t *p_sys;
+
+ uint8_t *p_peek;
+- unsigned int i_size, i_extended;
++ uint32_t i_size;
++ unsigned int i_extended;
+ char *psz_name;
+
+ WAVEFORMATEXTENSIBLE *p_wf_ext = NULL;
+@@ -137,7 +138,8 @@ static int Open( vlc_object_t * p_this )
+ msg_Err( p_demux, "cannot find 'fmt ' chunk" );
+ goto error;
+ }
+- if( i_size < sizeof( WAVEFORMATEX ) - 2 ) /* XXX -2 isn't a typo */
++ i_size += 2;
++ if( i_size < sizeof( WAVEFORMATEX ) )
+ {
+ msg_Err( p_demux, "invalid 'fmt ' chunk" );
+ goto error;
+@@ -145,14 +147,15 @@ static int Open( vlc_object_t * p_this )
+ stream_Read( p_demux->s, NULL, 8 ); /* Cannot fail */
+
+ /* load waveformatex */
+- p_wf_ext = malloc( __EVEN( i_size ) + 2 );
++ p_wf_ext = malloc( i_size );
+ if( p_wf_ext == NULL )
+ goto error;
+
+ p_wf = (WAVEFORMATEX *)p_wf_ext;
+ p_wf->cbSize = 0;
+- if( stream_Read( p_demux->s,
+- p_wf, __EVEN( i_size ) ) < (int)__EVEN( i_size ) )
++ i_size -= 2;
++ if( stream_Read( p_demux->s, p_wf, i_size ) != (int)i_size
++ || ( ( i_size & 1 ) && stream_Read( p_demux->s, NULL, 1 ) != 1 ) )
+ {
+ msg_Err( p_demux, "cannot load 'fmt ' chunk" );
+ goto error;
+@@ -173,7 +176,9 @@ static int Open( vlc_object_t * p_this )
+ /* see the following link for more information:
+ * http://www.microsoft.com/whdc/device/audio/multichaud.mspx#EFAA */
+ if( GetWLE( &p_wf->wFormatTag ) == WAVE_FORMAT_EXTENSIBLE &&
+- i_size >= sizeof( WAVEFORMATEXTENSIBLE ) )
++ i_size >= sizeof( WAVEFORMATEXTENSIBLE ) &&
++ ( p_sys->fmt.i_extra + sizeof( WAVEFORMATEX )
++ >= sizeof( WAVEFORMATEXTENSIBLE ) ) )
+ {
+ unsigned i, i_channel_mask;
+ GUID guid_subformat;
Modified: unstable/vlc/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/patches/series?rev=1353&op=diff
==============================================================================
--- unstable/vlc/debian/patches/series (original)
+++ unstable/vlc/debian/patches/series Fri Aug 22 16:37:02 2008
@@ -10,3 +10,4 @@
401-CVE-2008-2430.diff
405-CVE-2008-3732.diff
406-live555-crash.diff
+407-CVE-2008-2430.diff
More information about the pkg-multimedia-commits
mailing list