[SCM] vlc/master: Add upstream patches for CVEs

Wed Jan 21 22:10:50 UTC 2015

The following commit has been merged in the master branch:
commit 3d0e77f4f690d779c04de0c877f783484e454330
Author: Sebastian Ramacher <sramacher at debian.org>
Date:   Wed Jan 21 23:01:31 2015 +0100

    Add upstream patches for CVEs
    
    Closes: #775866

diff --git a/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch b/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch
new file mode 100644
index 0000000..31502ad
--- /dev/null
+++ b/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch
@@ -0,0 +1,29 @@
+From: Fabian Yamaguchi <fyamagu at gwdg.de>
+Subject: [PATCH] codec: schroedinger: fix potential buffer overflow.
+ The variable len is a raw 32 bit value read using GetDWBE. If this
+ value is larger than UINT32_MAX - sizeof(eos), this will cause an
+ integer overflow in the subsequent call to malloc, and finally a
+ buffer overflow when calling memcpy. We fix this by checking len
+ accordingly.
+Origin: upstream, http://git.videolan.org/?p=vlc.git;a=commitdiff;h=9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5
+Bug-Debian: https://bugs.debian.org/775866
+Last-Update: 2015-01-21
+
+diff --git a/modules/codec/schroedinger.c b/modules/codec/schroedinger.c
+index f48aa2b..977afca 100644
+--- a/modules/codec/schroedinger.c
++++ b/modules/codec/schroedinger.c
+@@ -1548,6 +1548,10 @@ static block_t *Encode( encoder_t *p_enc, picture_t *p_pic )
+                      * is appended to the sequence header to allow guard
+                      * against poor streaming servers */
+                     /* XXX, should this be done using the packetizer ? */
++
++                    if( len > UINT32_MAX - sizeof( eos ) )
++                        return NULL;
++
+                     p_enc->fmt_out.p_extra = malloc( len + sizeof( eos ) );
+                     if( !p_enc->fmt_out.p_extra )
+                         return NULL;
+-- 
+2.1.4
+
diff --git a/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch b/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch
new file mode 100644
index 0000000..3ae498d
--- /dev/null
+++ b/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch
@@ -0,0 +1,28 @@
+From: Fabian Yamaguchi <fyamagu at gwdg.de>
+Subject: [PATCH] demux: mp4: fix buffer overflow in parsing of string boxes.
+ We ensure that pbox->i_size is never smaller than 8 to avoid an
+ integer underflow in the third argument of the subsequent call to
+ memcpy. We also make sure no truncation occurs when passing values
+ derived from the 64 bit integer p_box->i_size to arguments of malloc
+ and memcpy that may be 32 bit integers on 32 bit platforms.
+Origin: upstream, http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=914462405f8e90d9b2b1184ff047fdfb1f800b48
+Bug-Debian: https://bugs.debian.org/775866
+Last-Update: 2015-01-21
+
+diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
+index 19e84d3..3912e7e 100644
+--- a/modules/demux/mp4/libmp4.c
++++ b/modules/demux/mp4/libmp4.c
+@@ -2667,6 +2667,9 @@ static int MP4_ReadBox_name( stream_t *p_stream, MP4_Box_t *p_box )
+ {
+     MP4_READBOX_ENTER( MP4_Box_data_name_t );
+ 
++    if( p_box->i_size < 8 || p_box->i_size > SIZE_MAX )
++        MP4_READBOX_EXIT( 0 );
++
+     p_box->data.p_name->psz_text = malloc( p_box->i_size + 1 - 8 ); /* +\0, -name, -size */
+     if( p_box->data.p_name->psz_text == NULL )
+         MP4_READBOX_EXIT( 0 );
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..80613b4
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,3 @@
+codec-schroedinger-fix-potential-buffer-overflow.patch
+demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch
+stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch
diff --git a/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch b/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch
new file mode 100644
index 0000000..9148092
--- /dev/null
+++ b/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch
@@ -0,0 +1,47 @@
+From: Fabian Yamaguchi <fyamagu at gwdg.de>
+Subject: [PATCH] stream_out: rtp: don't use VLA for user controlled data
+ It should fix a possible invalid memory access
+ .
+ When streaming ogg-files via rtp, an ogg-file can trigger an invalid
+ write access using an overly long 'configuration' string.
+ .
+ The original code attemps to allocate space to hold the string on the stack
+ and hence, cannot verify if allocation succeeds. Instead, we now allocate the
+ buffer on the heap and return if allocation fails.
+ .
+ In detail, rtp_packetize_xiph_config allocates a buffer on the stack at (1) where
+ the size depends on the local variable 'len'. The variable 'len' is
+ calculated at (0) to be the length of a string contained in a specially
+ crafted Ogg Vorbis file, and therefore, it is attacker-controlled.
+Origin: upstream, http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=3199c5dd837bc641962e9c1c8d0cd2d7c9b8bb37
+Bug-Debian: https://bugs.debian.org/775866
+Last-Update: 2015-01-21
+
+diff --git a/modules/stream_out/rtpfmt.c b/modules/stream_out/rtpfmt.c
+index baee82a..ff7ea10 100644
+--- a/modules/stream_out/rtpfmt.c
++++ b/modules/stream_out/rtpfmt.c
+@@ -557,7 +557,11 @@ int rtp_packetize_xiph_config( sout_stream_id_sys_t *id, const char *fmtp,
+     char *end = strchr(start, ';');
+     assert(end != NULL);
+     size_t len = end - start;
+-    char b64[len + 1];
++
++    char *b64 = malloc(len + 1);
++    if(!b64)
++        return VLC_EGENERIC;
++
+     memcpy(b64, start, len);
+     b64[len] = '\0';
+ 
+@@ -567,6 +571,7 @@ int rtp_packetize_xiph_config( sout_stream_id_sys_t *id, const char *fmtp,
+     int i_data;
+ 
+     i_data = vlc_b64_decode_binary(&p_orig, b64);
++    free(b64);
+     if (i_data <= 9)
+     {
+         free(p_orig);
+-- 
+2.1.4
+

-- 
VLC media player packaging

