[SCM] FFmpeg packaging branch, ubuntu.karmic, updated. debian/0.5+svn20090706-1ubuntu3-36-g3f9d596

siretart at users.alioth.debian.org siretart at users.alioth.debian.org
Thu Oct 15 07:34:09 UTC 2009 

The following commit has been merged in the ubuntu.karmic branch:
commit 406f25d6d0f784ca6bd34dd52eedcd3d0f7c736d
Author: Reinhard Tartler <siretart at tauware.de>
Date:   Wed Oct 14 23:21:50 2009 +0200

    backport oggparsevorbis fix

diff --git a/debian/patches/security/oggparsevorbis/0001-Fix-possible-buffer-over-read-in-vorbis_comment-fix-.patch b/debian/patches/security/oggparsevorbis/0001-Fix-possible-buffer-over-read-in-vorbis_comment-fix-.patch
new file mode 100644
index 0000000..2a8d510
--- /dev/null
+++ b/debian/patches/security/oggparsevorbis/0001-Fix-possible-buffer-over-read-in-vorbis_comment-fix-.patch
@@ -0,0 +1,54 @@
+From fdf622ded070640a924e63a6e630325520d0b567 Mon Sep 17 00:00:00 2001
+From: reimar <reimar at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Thu, 24 Sep 2009 15:37:09 +0000
+Subject: [PATCH] Fix possible buffer over-read in vorbis_comment, fix it double to be sure.
+ First, make s signed, so that comparisons against end - p will not be made as
+ unsigned, making the check incorrectly pass if p is beyond end.
+ Also ensure that p will never be > end, so the code is correct also if
+ buf is not padded.
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@20014 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavformat/oggparsevorbis.c |    9 +++++----
+ 1 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c
+index afc3fcb..1ef7365 100644
+--- a/libavformat/oggparsevorbis.c
++++ b/libavformat/oggparsevorbis.c
+@@ -50,27 +50,28 @@ vorbis_comment(AVFormatContext * as, uint8_t *buf, int size)
+ {
+     const uint8_t *p = buf;
+     const uint8_t *end = buf + size;
+-    unsigned s, n, j;
++    unsigned n, j;
++    int s;
+ 
+     if (size < 8) /* must have vendor_length and user_comment_list_length */
+         return -1;
+ 
+     s = bytestream_get_le32(&p);
+ 
+-    if (end - p < s)
++    if (end - p - 4 < s || s < 0)
+         return -1;
+ 
+     p += s;
+ 
+     n = bytestream_get_le32(&p);
+ 
+-    while (p < end && n > 0) {
++    while (end - p >= 4 && n > 0) {
+         const char *t, *v;
+         int tl, vl;
+ 
+         s = bytestream_get_le32(&p);
+ 
+-        if (end - p < s)
++        if (end - p < s || s < 0)
+             break;
+ 
+         t = p;
+-- 
+1.6.3.3
+
diff --git a/debian/patches/series b/debian/patches/series
index b2c6ff0..6507805 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -47,3 +47,6 @@ security/vorbis_dec/0009-Check-begin-end-partition_size.patch
 security/vorbis_dec/0010-Make-error-return-sign-consistent.patch
 security/vorbis_dec/0011-Check-submap-indexes.patch
 security/vorbis_dec/0012-Fix-format-string-to-match-the-types-printed.patch
+
+# vorbis security backports
+security/oggparsevorbis/0001-Fix-possible-buffer-over-read-in-vorbis_comment-fix-.patch

-- 
FFmpeg packaging

More information about the pkg-multimedia-commits mailing list