Author: xtophe-guest
Date: Sat Jul 5 22:49:25 2008
New Revision: 1298
URL: http://svn.debian.org/wsvn/pkg-multimedia/?sc=1&rev=1298
Log:
Patch for CVE-2008-2430
Added:
unstable/vlc/debian/patches/401-CVE-2008-2430.diff
Modified:
unstable/vlc/debian/changelog
unstable/vlc/debian/patches/series
Modified: unstable/vlc/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/changelog?rev=1298&op=diff
==============================================================================
--- unstable/vlc/debian/changelog (original)
+++ unstable/vlc/debian/changelog Sat Jul 5 22:49:25 2008
@@ -20,7 +20,11 @@
* added a watch file
* new upstream release, refreshing patches
- -- Reinhard Tartler <siretart at tauware.de> Tue, 24 Jun 2008 09:39:34 +0200
+ [ Christophe Mutricy ]
+ * Fix buffer overflow in Wav demux.(CVE-2008-2430)(Closes: #489004)
+ (Patch taken from upstream: 401-CVE-2008-2430.diff)
+
+ -- Christophe Mutricy <xtophe at videolan.org> Sat, 05 Jul 2008 23:45:15 +0100
vlc (0.8.6.e-2.3) unstable; urgency=low
Added: unstable/vlc/debian/patches/401-CVE-2008-2430.diff
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/patches/401-CVE-2008-2430.diff?rev=1298&op=file
==============================================================================
--- unstable/vlc/debian/patches/401-CVE-2008-2430.diff (added)
+++ unstable/vlc/debian/patches/401-CVE-2008-2430.diff Sat Jul 5 22:49:25 2008
@@ -1,0 +1,65 @@
+commit 3de60bf5b886ad81d7c05d68dff7a1ba461c0ac1
+Author: Rémi Denis-Courmont <rdenis at simphalempin.com>
+Date: Sat Jun 28 14:00:57 2008 +0300
+
+ wav: fix integer overflow (CVE-2008-2430)
+
+ When i_size is sufficiently large, we would overflow malloc(), and then
+ overwrite the heap with stream_Read().
+
+ Bug reported by: Alin Rad Pop, Secunia Research.
+
+ (cherry-picked from commit 95e2f0ff579a5b987cbde9454aa1fc86080528e2)
+
+diff --git a/modules/demux/wav.c b/modules/demux/wav.c
+index 0c271d3..045344a 100644
+--- a/modules/demux/wav.c
++++ b/modules/demux/wav.c
+@@ -1,7 +1,7 @@
+ /*****************************************************************************
+ * wav.c : wav file input module for vlc
+ *****************************************************************************
+- * Copyright (C) 2001-2007 the VideoLAN team
++ * Copyright (C) 2001-2008 the VideoLAN team
+ * $Id$
+ *
+ * Authors: Laurent Aimar <fenrir at via.ecp.fr>
+@@ -106,7 +106,8 @@ static int Open( vlc_object_t * p_this )
+ demux_sys_t *p_sys;
+
+ const uint8_t *p_peek;
+- unsigned int i_size, i_extended;
++ uint32_t i_size;
++ unsigned int i_extended;
+ const char *psz_name;
+
+ WAVEFORMATEXTENSIBLE *p_wf_ext = NULL;
+@@ -139,7 +140,8 @@ static int Open( vlc_object_t * p_this )
+ msg_Err( p_demux, "cannot find 'fmt ' chunk" );
+ goto error;
+ }
+- if( i_size < sizeof( WAVEFORMATEX ) - 2 ) /* XXX -2 isn't a typo */
++ i_size += 2;
++ if( i_size < sizeof( WAVEFORMATEX ) )
+ {
+ msg_Err( p_demux, "invalid 'fmt ' chunk" );
+ goto error;
+@@ -147,14 +149,15 @@ static int Open( vlc_object_t * p_this )
+ stream_Read( p_demux->s, NULL, 8 ); /* Cannot fail */
+
+ /* load waveformatex */
+- p_wf_ext = malloc( __EVEN( i_size ) + 2 );
++ p_wf_ext = malloc( i_size );
+ if( p_wf_ext == NULL )
+ goto error;
+
+ p_wf = (WAVEFORMATEX *)p_wf_ext;
+ p_wf->cbSize = 0;
+- if( stream_Read( p_demux->s,
+- p_wf, __EVEN( i_size ) ) < (int)__EVEN( i_size ) )
++ i_size -= 2;
++ if( stream_Read( p_demux->s, p_wf, i_size ) != (int)i_size
++ || ( ( i_size & 1 ) && stream_Read( p_demux->s, NULL, 1 ) != 1 ) )
+ {
+ msg_Err( p_demux, "cannot load 'fmt ' chunk" );
+ goto error;
Modified: unstable/vlc/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/patches/series?rev=1298&op=diff
==============================================================================
--- unstable/vlc/debian/patches/series (original)
+++ unstable/vlc/debian/patches/series Sat Jul 5 22:49:25 2008
@@ -7,3 +7,4 @@
104_notify.diff
200_osdmenu_paths.diff
300_manpage_syntax.diff
+401-CVE-2008-2430.diff