[SCM] vlc/squeeze: Fix heap overflow in CDG decoder

[xtophe-guest at users.alioth.debian.org]

The following commit has been merged in the squeeze branch:
commit 6ae1f814bf751b6eef43c81e0ca38d7fffff5d8d
Author: Christophe Mutricy <xtophe at chewa.net>
Date:   Sun Jan 23 20:07:29 2011 +0000

    Fix heap overflow in CDG decoder
    
    Patch taken from upstream
    
    Thanks: Dan Rosenberg

diff --git a/debian/patches/cdg-heap-overflow.diff b/debian/patches/cdg-heap-overflow.diff
new file mode 100644
index 0000000..307ebb0
--- /dev/null
+++ b/debian/patches/cdg-heap-overflow.diff
@@ -0,0 +1,48 @@
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Subject: Fix heap overflows in CDG decoder
+
+    This patch resolves two heap corruption vulnerabilities in the CDG
+    decoder for VLC media player.  In both cases, a failure to properly
+    validate indexes into statically-sized arrays on the heap could allow a
+    maliciously crafted CDG video to corrupt the heap in a controlled
+    manner, potentially leading to code execution.
+    
+    The patch is against v1.1.5 from vlc git, but this decoder hasn't been
+    touched in awhile, so I'd expect it to cleanly apply to older versions.
+    I've tested it and confirmed it resolves the heap corruption issues and
+    does not break functionality.
+    
+Origin: upstream, http://git.videolan.org/gitweb.cgi?p=vlc/vlc-1.1.git;a=commit;h=d11fca8bf9dc058bcdf67d81c04f84f8905ad8b4
+Date:   Fri Jan 7 11:06:08 2011 -0500
+
+
+diff --git a/modules/codec/cdg.c b/modules/codec/cdg.c
+index 31ecd0e..fe7b62d 100644
+--- a/modules/codec/cdg.c
++++ b/modules/codec/cdg.c
+@@ -254,7 +254,13 @@ static int DecodeTileBlock( decoder_sys_t *p_cdg, const uint8_t *p_data, int doX
+         for( x = 0; x < 6; x++ )
+         {
+             const int idx = ( p_data[4+y] >> (5-x) ) & 0x01;
+-            uint8_t *p = &p_cdg->p_screen[(sy+y)*CDG_SCREEN_PITCH+(sx+x)];
++
++            int index = (sy+y)*CDG_SCREEN_PITCH+(sx+x);
++            if( index >= CDG_SCREEN_PITCH*CDG_SCREEN_HEIGHT )
++                return 0;
++
++            uint8_t *p = &p_cdg->p_screen[index];
++
+             if( doXor )
+                 *p ^= p_color[idx];
+             else
+@@ -319,8 +325,8 @@ static int DecodeScroll( decoder_sys_t *p_cdg, const uint8_t *p_data, int b_copy
+ 
+             if( b_copy )
+             {
+-                dy = ( dy + CDG_SCREEN_HEIGHT ) % CDG_SCREEN_HEIGHT;
+-                dy = ( dy + CDG_SCREEN_WIDTH  ) % CDG_SCREEN_WIDTH;
++                dy %= CDG_SCREEN_HEIGHT;
++                dx %= CDG_SCREEN_WIDTH;
+             }
+             else
+             {
diff --git a/debian/patches/series b/debian/patches/series
index 5b89c52..f6b5eb4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@
 502_xulrunner_191.diff
 503_autoreconf.diff
 CVE-2010-3907.diff
+cdg-heap-overflow.diff

-- 
VLC media player packaging