SOURCES: mplayer_demux_real.patch (NEW) - fix for CVE-2008-3827 from: htt...

sls sls at pld-linux.org
Mon Oct 13 14:01:32 CEST 2008 

Author: sls                          Date: Mon Oct 13 12:01:32 2008 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- fix for CVE-2008-3827 from:
  http://www.ocert.org/patches/2008-013/mplayer_demux_real.patch

---- Files affected:
SOURCES:
   mplayer_demux_real.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/mplayer_demux_real.patch
diff -u /dev/null SOURCES/mplayer_demux_real.patch:1.1
--- /dev/null	Mon Oct 13 14:01:33 2008
+++ SOURCES/mplayer_demux_real.patch	Mon Oct 13 14:01:27 2008
@@ -0,0 +1,28 @@
+Index: libmpdemux/demux_real.c
+===================================================================
+--- libmpdemux/demux_real.c	(revision 27605)
++++ libmpdemux/demux_real.c	(working copy)
+@@ -947,6 +947,7 @@
+ 			    // last fragment!
+ 			    if(dp_hdr->len!=vpkg_length-vpkg_offset)
+ 				mp_msg(MSGT_DEMUX,MSGL_V,"warning! assembled.len=%d  frag.len=%d  total.len=%d  \n",dp->len,vpkg_offset,vpkg_length-vpkg_offset);
++			    if (vpkg_offset > dp->len - sizeof(dp_hdr_t) - dp_hdr->len) vpkg_offset = dp->len - sizeof(dp_hdr_t) - dp_hdr->len;
+             		    stream_read(demuxer->stream, dp_data+dp_hdr->len, vpkg_offset);
+ 			    if((dp_data[dp_hdr->len]&0x20) && (sh_video->format==0x30335652)) --dp_hdr->chunks; else
+ 			    dp_hdr->len+=vpkg_offset;
+@@ -970,6 +971,7 @@
+ 			// non-last fragment:
+ 			if(dp_hdr->len!=vpkg_offset)
+ 			    mp_msg(MSGT_DEMUX,MSGL_V,"warning! assembled.len=%d  offset=%d  frag.len=%d  total.len=%d  \n",dp->len,vpkg_offset,len,vpkg_length);
++			if (len > dp->len - sizeof(dp_hdr_t) - dp_hdr->len) len = dp->len - sizeof(dp_hdr_t) - dp_hdr->len;
+             		stream_read(demuxer->stream, dp_data+dp_hdr->len, len);
+ 			if((dp_data[dp_hdr->len]&0x20) && (sh_video->format==0x30335652)) --dp_hdr->chunks; else
+ 			dp_hdr->len+=len;
+@@ -992,6 +994,7 @@
+ 		extra[0]=1; extra[1]=0; // offset of the first chunk
+ 		if(0x00==(vpkg_header&0xc0)){
+ 		    // first fragment:
++		    if (len > dp->len - sizeof(dp_hdr_t)) len = dp->len - sizeof(dp_hdr_t);
+ 		    dp_hdr->len=len;
+ 		    stream_read(demuxer->stream, dp_data, len);
+ 		    ds->asf_packet=dp;
================================================================

More information about the pld-cvs-commit mailing list