SOURCES: mplayer-CVE-2005-4048.patch (NEW) - fixes CVE-2005-4048 (...
qboosh
qboosh at pld-linux.org
Mon Mar 20 11:55:15 CET 2006
Author: qboosh Date: Mon Mar 20 10:55:14 2006 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- fixes CVE-2005-4048 (heap overflow exploitable via PNG images)
---- Files affected:
SOURCES:
mplayer-CVE-2005-4048.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/mplayer-CVE-2005-4048.patch
diff -u /dev/null SOURCES/mplayer-CVE-2005-4048.patch:1.1
--- /dev/null Mon Mar 20 11:55:14 2006
+++ SOURCES/mplayer-CVE-2005-4048.patch Mon Mar 20 11:55:09 2006
@@ -0,0 +1,81 @@
+--- ffmpeg-0.cvs20050313.orig/libavcodec/utils.c
++++ ffmpeg-0.cvs20050313/libavcodec/utils.c
+@@ -276,27 +276,10 @@
+ buf->last_pic_num= *picture_number;
+ }else{
+ int h_chroma_shift, v_chroma_shift;
+- int pixel_size;
+-
++ int pixel_size, size[3];
++ AVPicture picture;
++
+ avcodec_get_chroma_sub_sample(s->pix_fmt, &h_chroma_shift, &v_chroma_shift);
+-
+- switch(s->pix_fmt){
+- case PIX_FMT_RGB555:
+- case PIX_FMT_RGB565:
+- case PIX_FMT_YUV422:
+- case PIX_FMT_UYVY422:
+- pixel_size=2;
+- break;
+- case PIX_FMT_RGB24:
+- case PIX_FMT_BGR24:
+- pixel_size=3;
+- break;
+- case PIX_FMT_RGBA32:
+- pixel_size=4;
+- break;
+- default:
+- pixel_size=1;
+- }
+
+ avcodec_align_dimensions(s, &w, &h);
+
+@@ -304,21 +287,39 @@
+ w+= EDGE_WIDTH*2;
+ h+= EDGE_WIDTH*2;
+ }
+-
++ avpicture_fill(&picture, NULL, s->pix_fmt, w, h);
++ pixel_size= picture.linesize[0]*8 / w;
++//av_log(NULL, AV_LOG_ERROR, "%d %d %d %d\n", (int)picture.data[1], w, h, s->pix_fmt);
++ assert(pixel_size>=1);
++ //FIXME next ensures that linesize= 2^x uvlinesize, thats needed because some MC code assumes it
++ if(pixel_size == 3*8)
++ w= ALIGN(w, STRIDE_ALIGN<<h_chroma_shift);
++ else
++ w= ALIGN(pixel_size*w, STRIDE_ALIGN<<(h_chroma_shift+3)) / pixel_size;
++ size[1] = avpicture_fill(&picture, NULL, s->pix_fmt, w, h);
++ size[0] = picture.linesize[0] * h;
++ size[1] -= size[0];
++ if(picture.data[2])
++ size[1]= size[2]= size[1]/2;
++ else
++ size[2]= 0;
++
+ buf->last_pic_num= -256*256*256*64;
++ memset(buf->base, 0, sizeof(buf->base));
++ memset(buf->data, 0, sizeof(buf->data));
+
+- for(i=0; i<3; i++){
++ for(i=0; i<3 && size[i]; i++){
+ const int h_shift= i==0 ? 0 : h_chroma_shift;
+ const int v_shift= i==0 ? 0 : v_chroma_shift;
+
+- //FIXME next ensures that linesize= 2^x uvlinesize, thats needed because some MC code assumes it
+- buf->linesize[i]= ALIGN(pixel_size*w>>h_shift, STRIDE_ALIGN<<(h_chroma_shift-h_shift));
++ buf->linesize[i]= picture.linesize[i];
+
+- buf->base[i]= av_malloc((buf->linesize[i]*h>>v_shift)+16); //FIXME 16
++ buf->base[i]= av_malloc(size[i]+16); //FIXME 16
+ if(buf->base[i]==NULL) return -1;
+- memset(buf->base[i], 128, buf->linesize[i]*h>>v_shift);
+-
+- if(s->flags&CODEC_FLAG_EMU_EDGE)
++ memset(buf->base[i], 128, size[i]);
++
++ // no edge if EDEG EMU or not planar YUV, we check for PAL8 redundantly to protect against a exploitable bug regression ...
++ if((s->flags&CODEC_FLAG_EMU_EDGE) || (s->pix_fmt == PIX_FMT_PAL8) || !size[2])
+ buf->data[i] = buf->base[i];
+ else
+ buf->data[i] = buf->base[i] + ALIGN((buf->linesize[i]*EDGE_WIDTH>>v_shift) + (EDGE_WIDTH>>h_shift), STRIDE_ALIGN);
================================================================
More information about the pld-cvs-commit
mailing list