[SCM] vlc/jessie: Apply upstream patch for CVE-2016-5108.

sramacher at users.alioth.debian.org sramacher at users.alioth.debian.org
Sun May 29 12:38:05 UTC 2016 

The following commit has been merged in the jessie branch:
commit 15d402a56db2e08e15c7d2fafcdb93cf01c7c7a2
Author: Sebastian Ramacher <sramacher at debian.org>
Date:   Sun May 29 12:52:21 2016 +0200

    Apply upstream patch for CVE-2016-5108.
    
    Closes: #825728

diff --git a/debian/patches/adpcm-reject-invalid-QuickTime-IMA-files.patch b/debian/patches/adpcm-reject-invalid-QuickTime-IMA-files.patch
new file mode 100644
index 0000000..a4bf1e9
--- /dev/null
+++ b/debian/patches/adpcm-reject-invalid-QuickTime-IMA-files.patch
@@ -0,0 +1,37 @@
+From c2d2c3698e47402ec36ecc6c8a85781dbd88b6a9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C3=ABl=20Carr=C3=A9?= <funman at videolan.org>
+Date: Wed, 25 May 2016 10:00:25 +0200
+Subject: [PATCH 01/17] adpcm: reject invalid QuickTime IMA files
+
+DecodeAdpcmImaQT() can only decode up to stereo files.
+Fix out of bound write.
+
+Reported by: Patrick Coleman <blinken at gmail.com>
+
+Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
+(cherry picked from commit 458ed62bbeb9d1bddf7b8df104e14936408a3db9)
+Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
+---
+ modules/codec/adpcm.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/modules/codec/adpcm.c b/modules/codec/adpcm.c
+index e655c45..0071077 100644
+--- a/modules/codec/adpcm.c
++++ b/modules/codec/adpcm.c
+@@ -174,6 +174,12 @@ static int OpenDecoder( vlc_object_t *p_this )
+     switch( p_dec->fmt_in.i_codec )
+     {
+         case VLC_FOURCC('i','m','a', '4'): /* IMA ADPCM */
++            if (p_dec->fmt_in.audio.i_channels > 2) {
++                free(p_sys);
++                msg_Err(p_dec, "Invalid number of channels %i",
++                        p_dec->fmt_in.audio.i_channels );
++                return VLC_EGENERIC;
++            }
+             p_sys->codec = ADPCM_IMA_QT;
+             break;
+         case VLC_CODEC_ADPCM_IMA_WAV: /* IMA ADPCM */
+-- 
+2.8.1
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..8f61857
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+adpcm-reject-invalid-QuickTime-IMA-files.patch

-- 
VLC media player packaging

More information about the pkg-multimedia-commits mailing list