SOURCES: demux_mov_fix_20080129.diff (NEW) - CVE-2008-0485

Sat Feb 16 12:52:56 CET 2008

Author: blues                        Date: Sat Feb 16 11:52:56 2008 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- CVE-2008-0485

---- Files affected:
SOURCES:
   demux_mov_fix_20080129.diff (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/demux_mov_fix_20080129.diff
diff -u /dev/null SOURCES/demux_mov_fix_20080129.diff:1.1

--- /dev/null	Sat Feb 16 12:52:56 2008
+++ SOURCES/demux_mov_fix_20080129.diff	Sat Feb 16 12:52:51 2008
@@ -0,0 +1,45 @@
+--- libmpdemux/demux_mov.c	(revision 24724)
++++ libmpdemux/demux_mov.c	(working copy)
+@@ -173,11 +173,12 @@
+     i=trak->chunkmap_size;
+     while(i>0){
+ 	--i;
+-	for(j=trak->chunkmap[i].first;j<last;j++){
++	j=FFMAX(trak->chunkmap[i].first, 0);
++	for(;j<last;j++){
+ 	    trak->chunks[j].desc=trak->chunkmap[i].sdid;
+ 	    trak->chunks[j].size=trak->chunkmap[i].spc;
+ 	}
+-	last=trak->chunkmap[i].first;
++	last=FFMIN(trak->chunkmap[i].first, trak->chunks_size);
+     }
+ 
+ #if 0
+@@ -235,6 +236,8 @@
+     s=0;
+     for(j=0;j<trak->durmap_size;j++){
+ 	for(i=0;i<trak->durmap[j].num;i++){
++	    if (s >= trak->samples_size)
++		break;
+ 	    trak->samples[s].pts=pts;
+ 	    ++s;
+ 	    pts+=trak->durmap[j].dur;
+@@ -246,6 +249,8 @@
+     for(j=0;j<trak->chunks_size;j++){
+ 	off_t pos=trak->chunks[j].pos;
+ 	for(i=0;i<trak->chunks[j].size;i++){
++	    if (s >= trak->samples_size)
++		break;
+ 	    trak->samples[s].pos=pos;
+ 	    mp_msg(MSGT_DEMUX, MSGL_DBG3, "Sample %5d: pts=%8d  off=0x%08X  size=%d\n",s,
+ 		trak->samples[s].pts,
+@@ -1568,8 +1573,7 @@
+ 			if( udta_len>udta_size)
+ 				udta_len=udta_size;
+ 			{
+-			char dump[udta_len-4];
+-			stream_read(demuxer->stream, (char *)&dump, udta_len-4-4);
++			stream_skip(demuxer->stream, udta_len-4-4);
+ 			udta_size -= udta_len;
+ 			}
+ 		    }
================================================================
