[SCM] FFmpeg packaging branch, ubuntu.karmic, updated. debian/0.5+svn20090706-1ubuntu3-36-g3f9d596
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Thu Oct 15 07:34:09 UTC 2009
The following commit has been merged in the ubuntu.karmic branch:
commit 406f25d6d0f784ca6bd34dd52eedcd3d0f7c736d
Author: Reinhard Tartler <siretart at tauware.de>
Date: Wed Oct 14 23:21:50 2009 +0200
backport oggparsevorbis fix
diff --git a/debian/patches/security/oggparsevorbis/0001-Fix-possible-buffer-over-read-in-vorbis_comment-fix-.patch b/debian/patches/security/oggparsevorbis/0001-Fix-possible-buffer-over-read-in-vorbis_comment-fix-.patch
new file mode 100644
index 0000000..2a8d510
--- /dev/null
+++ b/debian/patches/security/oggparsevorbis/0001-Fix-possible-buffer-over-read-in-vorbis_comment-fix-.patch
@@ -0,0 +1,54 @@
+From fdf622ded070640a924e63a6e630325520d0b567 Mon Sep 17 00:00:00 2001
+From: reimar <reimar at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Thu, 24 Sep 2009 15:37:09 +0000
+Subject: [PATCH] Fix possible buffer over-read in vorbis_comment, fix it double to be sure.
+ First, make s signed, so that comparisons against end - p will not be made as
+ unsigned, making the check incorrectly pass if p is beyond end.
+ Also ensure that p will never be > end, so the code is correct also if
+ buf is not padded.
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@20014 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavformat/oggparsevorbis.c | 9 +++++----
+ 1 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c
+index afc3fcb..1ef7365 100644
+--- a/libavformat/oggparsevorbis.c
++++ b/libavformat/oggparsevorbis.c
+@@ -50,27 +50,28 @@ vorbis_comment(AVFormatContext * as, uint8_t *buf, int size)
+ {
+ const uint8_t *p = buf;
+ const uint8_t *end = buf + size;
+- unsigned s, n, j;
++ unsigned n, j;
++ int s;
+
+ if (size < 8) /* must have vendor_length and user_comment_list_length */
+ return -1;
+
+ s = bytestream_get_le32(&p);
+
+- if (end - p < s)
++ if (end - p - 4 < s || s < 0)
+ return -1;
+
+ p += s;
+
+ n = bytestream_get_le32(&p);
+
+- while (p < end && n > 0) {
++ while (end - p >= 4 && n > 0) {
+ const char *t, *v;
+ int tl, vl;
+
+ s = bytestream_get_le32(&p);
+
+- if (end - p < s)
++ if (end - p < s || s < 0)
+ break;
+
+ t = p;
+--
+1.6.3.3
+
diff --git a/debian/patches/series b/debian/patches/series
index b2c6ff0..6507805 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -47,3 +47,6 @@ security/vorbis_dec/0009-Check-begin-end-partition_size.patch
security/vorbis_dec/0010-Make-error-return-sign-consistent.patch
security/vorbis_dec/0011-Check-submap-indexes.patch
security/vorbis_dec/0012-Fix-format-string-to-match-the-types-printed.patch
+
+# vorbis security backports
+security/oggparsevorbis/0001-Fix-possible-buffer-over-read-in-vorbis_comment-fix-.patch
--
FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list