[SCM] vlc/natty: AVI: fix heap buffer overflow (CVE-2011-2588)

bdrung at users.alioth.debian.org bdrung at users.alioth.debian.org
Mon Jul 18 14:59:00 UTC 2011 

The following commit has been merged in the natty branch:
commit 7a607f73ab2d0a6265971ff03655d06b390adf63
Author: Benjamin Drung <bdrung at debian.org>
Date:   Mon Jul 18 15:43:40 2011 +0200

    AVI: fix heap buffer overflow (CVE-2011-2588)

diff --git a/debian/patches/CVE-2011-2588.patch b/debian/patches/CVE-2011-2588.patch
new file mode 100644
index 0000000..bc8adb1
--- /dev/null
+++ b/debian/patches/CVE-2011-2588.patch
@@ -0,0 +1,29 @@
+From: Rémi Denis-Courmont <remi at remlab.net>
+Subject: [PATCH 2/2] AVI: fix heap buffer overflow (CVE-2011-2588)
+Origin: upstream, http://git.videolan.org/?p=vlc/vlc-1.1.git;a=commit;h=6953ce0862161d09c2b7ca8686a550527a11b9a2
+
+---
+ modules/demux/avi/libavi.c |    5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/modules/demux/avi/libavi.c
++++ b/modules/demux/avi/libavi.c
+@@ -384,7 +384,8 @@
+         case( AVIFOURCC_vids ):
+             p_strh->strh.i_samplesize = 0; /* XXX for ffmpeg avi file */
+             p_chk->strf.vids.i_cat = VIDEO_ES;
+-            p_chk->strf.vids.p_bih = malloc( p_chk->common.i_chunk_size );
++            p_chk->strf.vids.p_bih = malloc( __MAX( p_chk->common.i_chunk_size,
++                                         sizeof( *p_chk->strf.vids.p_bih ) ) );
+             AVI_READ4BYTES( p_chk->strf.vids.p_bih->biSize );
+             AVI_READ4BYTES( p_chk->strf.vids.p_bih->biWidth );
+             AVI_READ4BYTES( p_chk->strf.vids.p_bih->biHeight );
+@@ -400,7 +401,7 @@
+             {
+                 p_chk->strf.vids.p_bih->biSize = p_chk->common.i_chunk_size;
+             }
+-            if( p_chk->common.i_chunk_size - sizeof(BITMAPINFOHEADER) > 0 )
++            if( p_chk->common.i_chunk_size > sizeof(BITMAPINFOHEADER) )
+             {
+                 memcpy( &p_chk->strf.vids.p_bih[1],
+                         p_buff + 8 + sizeof(BITMAPINFOHEADER), /* 8=fourrc+size */
diff --git a/debian/patches/series b/debian/patches/series
index 5867e9e..3cec799 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@ backport-fix-NULL-derefence.patch
 backport-fullscreen-fix.patch
 backport-firefox-4-compatibility.patch
 CVE-2011-2587.patch
+CVE-2011-2588.patch

-- 
VLC media player packaging

More information about the pkg-multimedia-commits mailing list