[SCM] vlc/wheezy: Imported Debian version 2.0.3-5+deb7u1
sramacher at users.alioth.debian.org
sramacher at users.alioth.debian.org
Fri Mar 20 17:51:04 UTC 2015
The following commit has been merged in the wheezy branch:
commit e7334675275f91360981c3e2f7807cf1148306e3
Author: Moritz Muehlenhoff <jmm at debian.org>
Date: Wed Jul 2 18:42:33 2014 +0000
Imported Debian version 2.0.3-5+deb7u1
diff --git a/debian/changelog b/debian/changelog
index 5218396..d545439 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+vlc (2.0.3-5+deb7u1) wheezy-security; urgency=low
+
+ * CVE-2013-1868 CVE-2013-1954 CVE-2013-4388
+
+ -- Moritz Muehlenhoff <jmm at debian.org> Thu, 02 Jul 2014 18:42:33 +0000
+
vlc (2.0.3-5) testing; urgency=low
* vlc-plugin-*: Break vlc-nox (<< 2.0.0) to workaround running an outdated
diff --git a/debian/patches/CVE-2013-1868.patch b/debian/patches/CVE-2013-1868.patch
new file mode 100644
index 0000000..23e9078
--- /dev/null
+++ b/debian/patches/CVE-2013-1868.patch
@@ -0,0 +1,289 @@
+--- vlc-2.0.3.orig/modules/codec/subsdec.c
++++ vlc-2.0.3/modules/codec/subsdec.c
+@@ -31,6 +31,8 @@
+ # include "config.h"
+ #endif
+
++#include <limits.h>
++
+ #include <vlc_common.h>
+ #include <vlc_plugin.h>
+ #include <vlc_codec.h>
+@@ -574,19 +576,32 @@ static char *StripTags( char *psz_subtit
+ * returned, and the rendering engine will fall back to the
+ * plain text version of the subtitle.
+ */
++/* TODO: highly suboptimal, offset should be cached */
+ static void HtmlNPut( char **ppsz_html, const char *psz_text, int i_max )
+ {
+- const int i_len = strlen(psz_text);
++ char *psz_html = *ppsz_html;
++ if( psz_html == NULL )
++ return;
++
++ const size_t i_offset = strlen(psz_html);
++ const size_t i_len = strnlen(psz_text, i_max);
+
+- strncpy( *ppsz_html, psz_text, i_max );
+- *ppsz_html += __MIN(i_max,i_len);
++ psz_html = realloc( psz_html, i_offset + i_len + 1 );
++ if( psz_html != NULL )
++ {
++ memcpy( psz_html + i_offset, psz_text, i_len );
++ psz_html[i_offset + i_len] = '\0';
++ }
++ else
++ free( *ppsz_html );
++ *ppsz_html = psz_html;
+ }
+
+ static void HtmlPut( char **ppsz_html, const char *psz_text )
+ {
+- strcpy( *ppsz_html, psz_text );
+- *ppsz_html += strlen(psz_text);
++ HtmlNPut( ppsz_html, psz_text, INT_MAX );
+ }
++
+ static void HtmlCopy( char **ppsz_html, char **ppsz_subtitle, const char *psz_text )
+ {
+ HtmlPut( ppsz_html, psz_text );
+@@ -595,22 +610,17 @@ static void HtmlCopy( char **ppsz_html,
+
+ static char *CreateHtmlSubtitle( int *pi_align, char *psz_subtitle )
+ {
+- /* */
+- char *psz_tag = malloc( ( strlen( psz_subtitle ) / 3 ) + 1 );
+- if( !psz_tag )
++ char *psz_tag = malloc( 1 );
++ if( psz_tag == NULL )
+ return NULL;
+- psz_tag[ 0 ] = '\0';
+
+- /* */
+- //Oo + 100 ???
+- size_t i_buf_size = strlen( psz_subtitle ) + 100;
+- char *psz_html_start = malloc( i_buf_size );
+- char *psz_html = psz_html_start;
+- if( psz_html_start == NULL )
++ char *psz_html = malloc( 1 );
++ if( psz_html == NULL )
+ {
+ free( psz_tag );
+ return NULL;
+ }
++ psz_tag[0] = '\0';
+ psz_html[0] = '\0';
+
+ bool b_has_align = false;
+@@ -634,22 +644,22 @@ static char *CreateHtmlSubtitle( int *pi
+ else if( !strncasecmp( psz_subtitle, "<b>", 3 ) )
+ {
+ HtmlCopy( &psz_html, &psz_subtitle, "<b>" );
+- strcat( psz_tag, "b" );
++ HtmlPut( &psz_tag, "b" );
+ }
+ else if( !strncasecmp( psz_subtitle, "<i>", 3 ) )
+ {
+ HtmlCopy( &psz_html, &psz_subtitle, "<i>" );
+- strcat( psz_tag, "i" );
++ HtmlPut( &psz_tag, "i" );
+ }
+ else if( !strncasecmp( psz_subtitle, "<u>", 3 ) )
+ {
+ HtmlCopy( &psz_html, &psz_subtitle, "<u>" );
+- strcat( psz_tag, "u" );
++ HtmlPut( &psz_tag, "u" );
+ }
+ else if( !strncasecmp( psz_subtitle, "<s>", 3 ) )
+ {
+ HtmlCopy( &psz_html, &psz_subtitle, "<s>" );
+- strcat( psz_tag, "s" );
++ HtmlPut( &psz_tag, "s" );
+ }
+ else if( !strncasecmp( psz_subtitle, "<font ", 6 ))
+ {
+@@ -659,7 +669,7 @@ static char *CreateHtmlSubtitle( int *pi
+ "alpha=", NULL };
+
+ HtmlCopy( &psz_html, &psz_subtitle, "<font " );
+- strcat( psz_tag, "f" );
++ HtmlPut( &psz_tag, "f" );
+
+ while( *psz_subtitle != '>' )
+ {
+@@ -716,10 +726,9 @@ static char *CreateHtmlSubtitle( int *pi
+
+ psz_subtitle += i_len;
+ }
+- while (*psz_subtitle == ' ')
+- *psz_html++ = *psz_subtitle++;
++ HtmlNPut( &psz_html, psz_subtitle, strspn(psz_subtitle, " ") );
+ }
+- *psz_html++ = '>';
++ HtmlPut( &psz_html, ">" );
+ *psz_subtitle++;
+ }
+ else if( !strncmp( psz_subtitle, "</", 2 ))
+@@ -768,8 +777,8 @@ static char *CreateHtmlSubtitle( int *pi
+ if( !b_match )
+ {
+ /* Not well formed -- kill everything */
+- free( psz_html_start );
+- psz_html_start = NULL;
++ free( psz_html );
++ psz_html = NULL;
+ break;
+ }
+ *psz_lastTag = '\0';
+@@ -809,7 +818,7 @@ static char *CreateHtmlSubtitle( int *pi
+ {
+ /* We have the closing tag, ignore it TODO */
+ psz_subtitle = &psz_stop[1];
+- strcat( psz_tag, "I" );
++ HtmlPut( &psz_tag, "I" );
+ }
+ else
+ {
+@@ -823,7 +832,7 @@ static char *CreateHtmlSubtitle( int *pi
+ else if( *psz_subtitle == '>' )
+ HtmlPut( &psz_html, ">" );
+ else
+- *psz_html++ = *psz_subtitle;
++ HtmlNPut( &psz_html, psz_subtitle, 1 );
+ }
+ }
+ }
+@@ -887,17 +896,17 @@ static char *CreateHtmlSubtitle( int *pi
+ if( psz_subtitle[3] == 'i' )
+ {
+ HtmlPut( &psz_html, "<i>" );
+- strcat( psz_tag, "i" );
++ HtmlPut( &psz_tag, "i" );
+ }
+ if( psz_subtitle[3] == 'b' )
+ {
+ HtmlPut( &psz_html, "<b>" );
+- strcat( psz_tag, "b" );
++ HtmlPut( &psz_tag, "b" );
+ }
+ if( psz_subtitle[3] == 'u' )
+ {
+ HtmlPut( &psz_html, "<u>" );
+- strcat( psz_tag, "u" );
++ HtmlPut( &psz_tag, "u" );
+ }
+ psz_subtitle = strchr( psz_subtitle, '}' ) + 1;
+ }
+@@ -927,10 +936,12 @@ static char *CreateHtmlSubtitle( int *pi
+ }
+ else
+ {
+- *psz_html = *psz_subtitle;
+- if( psz_html > psz_html_start )
++ HtmlNPut( &psz_html, psz_subtitle, 1 );
++#if 0
++ if( *psz_html )
+ {
+ /* Check for double whitespace */
++# error This test does not make sense.
+ if( ( *psz_html == ' ' || *psz_html == '\t' ) &&
+ ( *(psz_html-1) == ' ' || *(psz_html-1) == '\t' ) )
+ {
+@@ -938,70 +949,41 @@ static char *CreateHtmlSubtitle( int *pi
+ psz_html--;
+ }
+ }
+- psz_html++;
++#endif
+ psz_subtitle++;
+ }
+-
+- if( ( size_t )( psz_html - psz_html_start ) > i_buf_size - 50 )
+- {
+- const int i_len = psz_html - psz_html_start;
+-
+- i_buf_size += 200;
+- char *psz_new = realloc( psz_html_start, i_buf_size );
+- if( !psz_new )
+- break;
+- psz_html_start = psz_new;
+- psz_html = &psz_new[i_len];
+- }
+ }
+- if( psz_html_start )
+- {
+- static const char *psz_text_close = "</text>";
+- static const char *psz_tag_long = "/font>";
+
+- /* Realloc for closing tags and shrink memory */
+- const size_t i_length = (size_t)( psz_html - psz_html_start );
+-
+- const size_t i_size = i_length + strlen(psz_tag_long) * strlen(psz_tag) + strlen(psz_text_close) + 1;
+- char *psz_new = realloc( psz_html_start, i_size );
+- if( psz_new )
++ while( *psz_tag )
++ {
++ /* */
++ char *psz_last = &psz_tag[strlen(psz_tag)-1];
++ switch( *psz_last )
+ {
+- psz_html_start = psz_new;
+- psz_html = &psz_new[i_length];
+-
+- /* Close not well formed subtitle */
+- while( *psz_tag )
+- {
+- /* */
+- char *psz_last = &psz_tag[strlen(psz_tag)-1];
+- switch( *psz_last )
+- {
+- case 'b':
+- HtmlPut( &psz_html, "</b>" );
+- break;
+- case 'i':
+- HtmlPut( &psz_html, "</i>" );
+- break;
+- case 'u':
+- HtmlPut( &psz_html, "</u>" );
+- break;
+- case 's':
+- HtmlPut( &psz_html, "</s>" );
+- break;
+- case 'f':
+- HtmlPut( &psz_html, "/font>" );
+- break;
+- case 'I':
+- break;
+- }
+-
+- *psz_last = '\0';
+- }
+- HtmlPut( &psz_html, psz_text_close );
++ case 'b':
++ HtmlPut( &psz_html, "</b>" );
++ break;
++ case 'i':
++ HtmlPut( &psz_html, "</i>" );
++ break;
++ case 'u':
++ HtmlPut( &psz_html, "</u>" );
++ break;
++ case 's':
++ HtmlPut( &psz_html, "</s>" );
++ break;
++ case 'f':
++ HtmlPut( &psz_html, "</font>" );
++ break;
++ case 'I':
++ break;
+ }
++ *psz_last = '\0';
+ }
++ /* Close not well formed subtitle */
++ HtmlPut( &psz_html, "</text>" );
+ free( psz_tag );
+
+- return psz_html_start;
++ return psz_html;
+ }
+
diff --git a/debian/patches/CVE-2013-1954.patch b/debian/patches/CVE-2013-1954.patch
new file mode 100644
index 0000000..d47edcc
--- /dev/null
+++ b/debian/patches/CVE-2013-1954.patch
@@ -0,0 +1,170 @@
+From b31ce523331aa3a6e620b68cdfe3f161d519631e Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Rafa=C3=ABl=20Carr=C3=A9?= <funman at videolan.org>
+Date: Thu, 17 Jan 2013 12:47:45 +0100
+Subject: [PATCH] asf demux: fix #8024
+
+Replace macro with static inline and use bounds checking
+---
+ modules/demux/asf/asf.c | 74 ++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 50 insertions(+), 24 deletions(-)
+
+diff --git a/modules/demux/asf/asf.c b/modules/demux/asf/asf.c
+index 294aa89..91d913f 100644
+--- a/modules/demux/asf/asf.c
++++ b/modules/demux/asf/asf.c
+@@ -383,15 +383,30 @@ static mtime_t GetMoviePTS( demux_sys_t *p_sys )
+ return i_time;
+ }
+
+-#define GETVALUE2b( bits, var, def ) \
+- switch( (bits)&0x03 ) \
+- { \
+- case 1: var = p_peek[i_skip]; i_skip++; break; \
+- case 2: var = GetWLE( p_peek + i_skip ); i_skip+= 2; break; \
+- case 3: var = GetDWLE( p_peek + i_skip ); i_skip+= 4; break; \
+- case 0: \
+- default: var = def; break;\
++static inline int GetValue2b(int *var, const uint8_t *p, int *skip, int left, int bits)
++{
++ switch(bits&0x03)
++ {
++ case 1:
++ if (left < 1)
++ return -1;
++ *var = p[*skip]; *skip += 1;
++ return 0;
++ case 2:
++ if (left < 2)
++ return -1;
++ *var = GetWLE(&p[*skip]); *skip += 2;
++ return 0;
++ case 3:
++ if (left < 4)
++ return -1;
++ *var = GetDWLE(&p[*skip]); *skip += 4;
++ return 0;
++ case 0:
++ default:
++ return 0;
+ }
++}
+
+ static int DemuxPacket( demux_t *p_demux )
+ {
+@@ -405,15 +420,15 @@ static int DemuxPacket( demux_t *p_demux )
+ int i_packet_property;
+
+ int b_packet_multiple_payload;
+- int i_packet_length;
+- int i_packet_sequence;
+- int i_packet_padding_length;
++ int i_packet_length = i_data_packet_min;
++ int i_packet_sequence = 0;
++ int i_packet_padding_length = 0;
+
+ uint32_t i_packet_send_time;
+- uint16_t i_packet_duration;
+ int i_payload;
+ int i_payload_count;
+ int i_payload_length_type;
++ int peek_size;
+
+
+ if( stream_Peek( p_demux->s, &p_peek,i_data_packet_min)<i_data_packet_min )
+@@ -421,6 +436,7 @@ static int DemuxPacket( demux_t *p_demux )
+ msg_Warn( p_demux, "cannot peek while getting new packet, EOF ?" );
+ return 0;
+ }
++ peek_size = i_data_packet_min;
+ i_skip = 0;
+
+ /* *** parse error correction if present *** */
+@@ -461,9 +477,12 @@ static int DemuxPacket( demux_t *p_demux )
+ b_packet_multiple_payload = i_packet_flags&0x01;
+
+ /* read some value */
+- GETVALUE2b( i_packet_flags >> 5, i_packet_length, i_data_packet_min );
+- GETVALUE2b( i_packet_flags >> 1, i_packet_sequence, 0 );
+- GETVALUE2b( i_packet_flags >> 3, i_packet_padding_length, 0 );
++ if (GetValue2b(&i_packet_length, p_peek, &i_skip, peek_size - i_skip, i_packet_flags >> 5) < 0)
++ goto loop_error_recovery;
++ if (GetValue2b(&i_packet_sequence, p_peek, &i_skip, peek_size - i_skip, i_packet_flags >> 1) < 0)
++ goto loop_error_recovery;
++ if (GetValue2b(&i_packet_padding_length, p_peek, &i_skip, peek_size - i_skip, i_packet_flags >> 3) < 0)
++ goto loop_error_recovery;
+
+ if( i_packet_padding_length > i_packet_length )
+ {
+@@ -479,7 +498,7 @@ static int DemuxPacket( demux_t *p_demux )
+ }
+
+ i_packet_send_time = GetDWLE( p_peek + i_skip ); i_skip += 4;
+- i_packet_duration = GetWLE( p_peek + i_skip ); i_skip += 2;
++ /* uint16_t i_packet_duration = GetWLE( p_peek + i_skip ); */ i_skip += 2;
+
+ i_packet_size_left = i_packet_length;
+
+@@ -501,13 +520,13 @@ static int DemuxPacket( demux_t *p_demux )
+
+ int i_packet_keyframe;
+ unsigned int i_stream_number;
+- int i_media_object_number;
++ int i_media_object_number = 0;
+ int i_media_object_offset;
+- int i_replicated_data_length;
+- int i_payload_data_length;
++ int i_replicated_data_length = 0;
++ int i_payload_data_length = 0;
+ int i_payload_data_pos;
+ int i_sub_payload_data_length;
+- int i_tmp;
++ int i_tmp = 0;
+
+ mtime_t i_pts;
+ mtime_t i_pts_delta;
+@@ -521,9 +540,12 @@ static int DemuxPacket( demux_t *p_demux )
+ i_packet_keyframe = p_peek[i_skip] >> 7;
+ i_stream_number = p_peek[i_skip++] & 0x7f;
+
+- GETVALUE2b( i_packet_property >> 4, i_media_object_number, 0 );
+- GETVALUE2b( i_packet_property >> 2, i_tmp, 0 );
+- GETVALUE2b( i_packet_property, i_replicated_data_length, 0 );
++ if (GetValue2b(&i_media_object_number, p_peek, &i_skip, peek_size - i_skip, i_packet_property >> 4) < 0)
++ break;
++ if (GetValue2b(&i_tmp, p_peek, &i_skip, peek_size - i_skip, i_packet_property >> 2) < 0)
++ break;
++ if (GetValue2b(&i_replicated_data_length, p_peek, &i_skip, peek_size - i_skip, i_packet_property) < 0)
++ break;
+
+ if( i_replicated_data_length > 1 ) // should be at least 8 bytes
+ {
+@@ -558,7 +580,9 @@ static int DemuxPacket( demux_t *p_demux )
+ i_pts = __MAX( i_pts - p_sys->p_fp->i_preroll * 1000, 0 );
+ if( b_packet_multiple_payload )
+ {
+- GETVALUE2b( i_payload_length_type, i_payload_data_length, 0 );
++ i_payload_data_length = 0;
++ if (GetValue2b(&i_payload_data_length, p_peek, &i_skip, peek_size - i_skip, i_payload_length_type) < 0)
++ break;
+ }
+ else
+ {
+@@ -645,6 +669,7 @@ static int DemuxPacket( demux_t *p_demux )
+ return 0;
+ }
+ i_packet_size_left -= i_read;
++ peek_size = 0;
+
+ p_frag->p_buffer += i_skip;
+ p_frag->i_buffer -= i_skip;
+@@ -672,6 +697,7 @@ static int DemuxPacket( demux_t *p_demux )
+ msg_Warn( p_demux, "cannot peek, EOF ?" );
+ return 0;
+ }
++ peek_size = i_packet_size_left;
+ }
+ }
+ }
+--
+1.7.10.4
+
diff --git a/debian/patches/CVE-2013-4388.patch b/debian/patches/CVE-2013-4388.patch
new file mode 100644
index 0000000..faad8a2
--- /dev/null
+++ b/debian/patches/CVE-2013-4388.patch
@@ -0,0 +1,15 @@
+--- vlc-2.0.3.orig/modules/packetizer/mpeg4audio.c
++++ vlc-2.0.3/modules/packetizer/mpeg4audio.c
+@@ -892,8 +892,11 @@ static int LOASParse( decoder_t *p_dec,
+ continue;
+
+ /* FIXME that's slow (and a bit ugly to write in place) */
+- for( i = 0; i < pi_payload[i_program][i_layer]; i++ )
++ for (int i = 0; i < pi_payload[i_program][i_layer]; i++) {
++ if (i_accumulated >= i_buffer)
++ return 0;
+ p_buffer[i_accumulated++] = bs_read( &s, 8 );
++ }
+ }
+ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index b69d913..ef1a447 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,7 @@ link-vlc-cache-gen-with-c++.patch
link-vlc-with-c++.patch
bp-fix-hang-caused-by-notify.patch
CVE-2012-5470.patch
+CVE-2013-1868.patch
+CVE-2013-1954.patch
+CVE-2013-4388.patch
+
--
VLC media player packaging
More information about the pkg-multimedia-commits
mailing list