r1375 - in /unstable/vlc/debian: changelog patches/407-mms-overflow.diff patches/series
xtophe-guest at users.alioth.debian.org
xtophe-guest at users.alioth.debian.org
Mon Aug 25 00:12:05 UTC 2008
Author: xtophe-guest
Date: Mon Aug 25 00:12:05 2008
New Revision: 1375
URL: http://svn.debian.org/wsvn/pkg-multimedia/?sc=1&rev=1375
Log:
fix integer overflow in mms
Added:
unstable/vlc/debian/patches/407-mms-overflow.diff
Modified:
unstable/vlc/debian/changelog
unstable/vlc/debian/patches/series
Modified: unstable/vlc/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/changelog?rev=1375&op=diff
==============================================================================
--- unstable/vlc/debian/changelog (original)
+++ unstable/vlc/debian/changelog Mon Aug 25 00:12:05 2008
@@ -1,3 +1,10 @@
+vlc (0.8.6.h-4) unstable; urgency=high
+
+ * Security: Fix integer overflow in mms module
+ (Closes: #496265)(407-mms-overflow.diff taken from upstream)
+
+ -- Christophe Mutricy <xtophe at videolan.org> Mon, 25 Aug 2008 01:07:27 +0100
+
vlc (0.8.6.h-3) unstable; urgency=low
* Minor cleanups.
Added: unstable/vlc/debian/patches/407-mms-overflow.diff
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/patches/407-mms-overflow.diff?rev=1375&op=file
==============================================================================
--- unstable/vlc/debian/patches/407-mms-overflow.diff (added)
+++ unstable/vlc/debian/patches/407-mms-overflow.diff Mon Aug 25 00:12:05 2008
@@ -1,0 +1,117 @@
+commit 2947f778df4f440ceeb6f5dc1bdb0e9f5cd31e74
+Author: Rémi Denis-Courmont <rdenis at simphalempin.com>
+Date: Sun Aug 24 13:18:01 2008 +0300
+
+ MMS integers handling fixes, including buffer overflow
+
+ Pointed-out-by: Pınar YanardaÄ
+ (cherry picked from commit afe3464a1c7c6f9d7640a3f5db17010c34212440)
+
+ Conflicts:
+
+ modules/access/mms/mmstu.c
+
+diff --git a/modules/access/mms/mmstu.c b/modules/access/mms/mmstu.c
+index 61f9e38..df5ec78 100644
+--- a/modules/access/mms/mmstu.c
++++ b/modules/access/mms/mmstu.c
+@@ -28,6 +28,7 @@
+ #include <stdlib.h>
+ #include <vlc/vlc.h>
+ #include <string.h>
++#include <inttypes.h>
+ #include <vlc/input.h>
+ #include <errno.h>
+
+@@ -695,7 +696,7 @@ static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto )
+ GetDWLE( p_sys->p_cmd + MMS_CMD_HEADERSIZE + 60 );
+
+ msg_Dbg( p_access,
+- "answer 0x06 flags:0x%8.8x media_length:%us packet_length:%lu packet_count:%u max_bit_rate:%d header_size:%d",
++ "answer 0x06 flags:0x%8.8"PRIx32" media_length:%"PRIu32"s packet_length:%zu packet_count:%"PRIu32" max_bit_rate:%d header_size:%zu",
+ p_sys->i_flags_broadcast,
+ p_sys->i_media_length,
+ p_sys->i_packet_length,
+@@ -749,12 +750,12 @@ static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto )
+ if( p_sys->i_header >= p_sys->i_header_size )
+ {
+ msg_Dbg( p_access,
+- "header complete(%d)",
++ "header complete(%zu)",
+ p_sys->i_header );
+ break;
+ }
+ msg_Dbg( p_access,
+- "header incomplete (%d/%d), reading more",
++ "header incomplete (%zu/%zu), reading more",
+ p_sys->i_header,
+ p_sys->i_header_size );
+ }
+@@ -1128,7 +1129,7 @@ static int NetFillBuffer( access_t *p_access )
+
+ static int mms_ParseCommand( access_t *p_access,
+ uint8_t *p_data,
+- int i_data,
++ size_t i_data,
+ int *pi_used )
+ {
+ #define GET32( i_pos ) \
+@@ -1137,7 +1138,7 @@ static int mms_ParseCommand( access_t *p_access,
+ ( p_sys->p_cmd[i_pos + 3] << 24 ) )
+
+ access_sys_t *p_sys = p_access->p_sys;
+- int i_length;
++ uint32_t i_length;
+ uint32_t i_id;
+
+ if( p_sys->p_cmd )
+@@ -1159,10 +1160,10 @@ static int mms_ParseCommand( access_t *p_access,
+ i_id = GetDWLE( p_data + 4 );
+ i_length = GetDWLE( p_data + 8 ) + 16;
+
+- if( i_id != 0xb00bface )
++ if( i_id != 0xb00bface || i_length < 16 )
+ {
+ msg_Err( p_access,
+- "incorrect command header (0x%x)", i_id );
++ "incorrect command header (0x%"PRIx32")", i_id );
+ p_sys->i_command = 0;
+ return -1;
+ }
+@@ -1170,8 +1171,8 @@ static int mms_ParseCommand( access_t *p_access,
+ if( i_length > p_sys->i_cmd )
+ {
+ msg_Warn( p_access,
+- "truncated command (missing %d bytes)",
+- i_length - i_data );
++ "truncated command (missing %zu bytes)",
++ (size_t)i_length - i_data );
+ p_sys->i_command = 0;
+ return -1;
+ }
+diff --git a/modules/access/mms/mmstu.h b/modules/access/mms/mmstu.h
+index b265127..8d41fe7 100644
+--- a/modules/access/mms/mmstu.h
++++ b/modules/access/mms/mmstu.h
+@@ -62,10 +62,10 @@ struct access_sys_t
+ int i_packet_seq_num;
+
+ uint8_t *p_cmd; /* latest command read */
+- int i_cmd; /* allocated at the begining */
++ size_t i_cmd; /* allocated at the begining */
+
+ uint8_t *p_header; /* allocated by mms_ReadPacket */
+- int i_header;
++ size_t i_header;
+
+ uint8_t *p_media; /* allocated by mms_ReadPacket */
+ size_t i_media;
+@@ -86,7 +86,7 @@ struct access_sys_t
+ size_t i_packet_length;
+ uint32_t i_packet_count;
+ int i_max_bit_rate;
+- int i_header_size;
++ size_t i_header_size;
+
+ /* */
+ vlc_bool_t b_seekable;
Modified: unstable/vlc/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/patches/series?rev=1375&op=diff
==============================================================================
--- unstable/vlc/debian/patches/series (original)
+++ unstable/vlc/debian/patches/series Mon Aug 25 00:12:05 2008
@@ -10,3 +10,4 @@
401-CVE-2008-2430.diff
405-CVE-2008-3732.diff
406-live555-crash.diff
+407-mms-overflow.diff
More information about the pkg-multimedia-commits
mailing list