SOURCES: mplayer_demux_real.patch (NEW) - fix for CVE-2008-3827 from: htt...
sls
sls at pld-linux.org
Mon Oct 13 14:01:32 CEST 2008
Author: sls Date: Mon Oct 13 12:01:32 2008 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- fix for CVE-2008-3827 from:
http://www.ocert.org/patches/2008-013/mplayer_demux_real.patch
---- Files affected:
SOURCES:
mplayer_demux_real.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/mplayer_demux_real.patch
diff -u /dev/null SOURCES/mplayer_demux_real.patch:1.1
--- /dev/null Mon Oct 13 14:01:33 2008
+++ SOURCES/mplayer_demux_real.patch Mon Oct 13 14:01:27 2008
@@ -0,0 +1,28 @@
+Index: libmpdemux/demux_real.c
+===================================================================
+--- libmpdemux/demux_real.c (revision 27605)
++++ libmpdemux/demux_real.c (working copy)
+@@ -947,6 +947,7 @@
+ // last fragment!
+ if(dp_hdr->len!=vpkg_length-vpkg_offset)
+ mp_msg(MSGT_DEMUX,MSGL_V,"warning! assembled.len=%d frag.len=%d total.len=%d \n",dp->len,vpkg_offset,vpkg_length-vpkg_offset);
++ if (vpkg_offset > dp->len - sizeof(dp_hdr_t) - dp_hdr->len) vpkg_offset = dp->len - sizeof(dp_hdr_t) - dp_hdr->len;
+ stream_read(demuxer->stream, dp_data+dp_hdr->len, vpkg_offset);
+ if((dp_data[dp_hdr->len]&0x20) && (sh_video->format==0x30335652)) --dp_hdr->chunks; else
+ dp_hdr->len+=vpkg_offset;
+@@ -970,6 +971,7 @@
+ // non-last fragment:
+ if(dp_hdr->len!=vpkg_offset)
+ mp_msg(MSGT_DEMUX,MSGL_V,"warning! assembled.len=%d offset=%d frag.len=%d total.len=%d \n",dp->len,vpkg_offset,len,vpkg_length);
++ if (len > dp->len - sizeof(dp_hdr_t) - dp_hdr->len) len = dp->len - sizeof(dp_hdr_t) - dp_hdr->len;
+ stream_read(demuxer->stream, dp_data+dp_hdr->len, len);
+ if((dp_data[dp_hdr->len]&0x20) && (sh_video->format==0x30335652)) --dp_hdr->chunks; else
+ dp_hdr->len+=len;
+@@ -992,6 +994,7 @@
+ extra[0]=1; extra[1]=0; // offset of the first chunk
+ if(0x00==(vpkg_header&0xc0)){
+ // first fragment:
++ if (len > dp->len - sizeof(dp_hdr_t)) len = dp->len - sizeof(dp_hdr_t);
+ dp_hdr->len=len;
+ stream_read(demuxer->stream, dp_data, len);
+ ds->asf_packet=dp;
================================================================
More information about the pld-cvs-commit
mailing list