[SCM] vlc/maverick: Fix heap overflow in CDG decoder and heap corruption in some XML based subtitles decoder.
bdrung at users.alioth.debian.org
bdrung at users.alioth.debian.org
Mon Jan 24 22:16:18 UTC 2011
The following commit has been merged in the maverick branch:
commit 37c75565cc062b8ce765ca2c3e732b34157544b4
Author: Benjamin Drung <bdrung at ubuntu.com>
Date: Mon Jan 24 22:47:21 2011 +0100
Fix heap overflow in CDG decoder and heap corruption in some XML based subtitles decoder.
diff --git a/debian/patches/cdg-heap-overflow.diff b/debian/patches/cdg-heap-overflow.diff
new file mode 100644
index 0000000..d04e283
--- /dev/null
+++ b/debian/patches/cdg-heap-overflow.diff
@@ -0,0 +1,44 @@
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Subject: Fix heap overflows in CDG decoder
+ This patch resolves two heap corruption vulnerabilities in the CDG
+ decoder for VLC media player. In both cases, a failure to properly
+ validate indexes into statically-sized arrays on the heap could allow a
+ maliciously crafted CDG video to corrupt the heap in a controlled
+ manner, potentially leading to code execution.
+ .
+ The patch is against v1.1.5 from vlc git, but this decoder hasn't been
+ touched in awhile, so I'd expect it to cleanly apply to older versions.
+ I've tested it and confirmed it resolves the heap corruption issues and
+ does not break functionality.
+Origin: upstream, http://git.videolan.org/gitweb.cgi?p=vlc/vlc-1.1.git;a=commit;h=d11fca8bf9dc058bcdf67d81c04f84f8905ad8b4
+
+diff --git a/modules/codec/cdg.c b/modules/codec/cdg.c
+index 31ecd0e..fe7b62d 100644
+--- a/modules/codec/cdg.c
++++ b/modules/codec/cdg.c
+@@ -254,7 +254,13 @@ static int DecodeTileBlock( decoder_sys_t *p_cdg, const uint8_t *p_data, int doX
+ for( x = 0; x < 6; x++ )
+ {
+ const int idx = ( p_data[4+y] >> (5-x) ) & 0x01;
+- uint8_t *p = &p_cdg->p_screen[(sy+y)*CDG_SCREEN_PITCH+(sx+x)];
++
++ int index = (sy+y)*CDG_SCREEN_PITCH+(sx+x);
++ if( index >= CDG_SCREEN_PITCH*CDG_SCREEN_HEIGHT )
++ return 0;
++
++ uint8_t *p = &p_cdg->p_screen[index];
++
+ if( doXor )
+ *p ^= p_color[idx];
+ else
+@@ -319,8 +325,8 @@ static int DecodeScroll( decoder_sys_t *p_cdg, const uint8_t *p_data, int b_copy
+
+ if( b_copy )
+ {
+- dy = ( dy + CDG_SCREEN_HEIGHT ) % CDG_SCREEN_HEIGHT;
+- dy = ( dy + CDG_SCREEN_WIDTH ) % CDG_SCREEN_WIDTH;
++ dy %= CDG_SCREEN_HEIGHT;
++ dx %= CDG_SCREEN_WIDTH;
+ }
+ else
+ {
diff --git a/debian/patches/series b/debian/patches/series
index c6be4de..f22c0ae 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,5 @@
200_osdmenu_paths.diff
300_transcode_aspect_ratio.diff
CVE-2010-3907.diff
+cdg-heap-overflow.diff
+xml-heap-corruption.diff
diff --git a/debian/patches/xml-heap-corruption.diff b/debian/patches/xml-heap-corruption.diff
new file mode 100644
index 0000000..3858320
--- /dev/null
+++ b/debian/patches/xml-heap-corruption.diff
@@ -0,0 +1,32 @@
+Author: Harry Sintonen <sintonen at iki.fi>
+Subject: Handle early termination properly in StripTags
+Origin: upstream, http://git.videolan.org/gitweb.cgi?p=vlc/vlc-1.1.git;a=commit;h=dc14617f39c03bbe80c3cc4f92799dca840966eb
+
+diff --git a/modules/codec/subtitles/subsdec.c b/modules/codec/subtitles/subsdec.c
+index 5c55a6e..bfdbb13 100644
+--- a/modules/codec/subtitles/subsdec.c
++++ b/modules/codec/subtitles/subsdec.c
+@@ -632,6 +632,9 @@ static char *StripTags( char *psz_subtitle )
+ *psz_text++ = *psz_subtitle;
+ }
+
++ /* Security fix: Account for the case where input ends early */
++ if( *psz_subtitle == '\0' ) break;
++
+ psz_subtitle++;
+ }
+ *psz_text = '\0';
+diff --git a/modules/codec/subtitles/subsusf.c b/modules/codec/subtitles/subsusf.c
+index 5754137..fc1cf07 100644
+--- a/modules/codec/subtitles/subsusf.c
++++ b/modules/codec/subtitles/subsusf.c
+@@ -1081,6 +1081,9 @@ static char *StripTags( char *psz_subtitle )
+ *psz_text++ = *psz_subtitle;
+ }
+
++ /* Security fix: Account for the case where input ends early */
++ if( *psz_subtitle == '\0' ) break;
++
+ psz_subtitle++;
+ }
+ *psz_text = '\0';
--
VLC media player packaging
More information about the pkg-multimedia-commits
mailing list