xine-lib 1.1.14-5 uploaded to t-p-u
I've uploaded xine-lib 1.1.14-5 to testing-proposed-updates (diff attached).
This should be allowed into lenny because it fixes two bugs:
512148: broken check in the PVR input plugin (regression from -3)
508065: extra allocation checking (Real MDPR)
--
| Darren Salt | linux or ds at | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + Travel less. Share transport more. PRODUCE LESS CARBON DIOXIDE.
Nothing is as easy as it looks.
diff -u xine-lib-1.1.14/src/input/input_pvr.c xine-lib-1.1.14/src/input/input_pvr.c
--- xine-lib-1.1.14/src/input/input_pvr.c
+++ xine-lib-1.1.14/src/input/input_pvr.c
@@ -1202,14 +1202,17 @@
buf_element_t *buf;
int speed = _x_get_speed(this->stream);
- if (todo < 0 || todo > buf->size)
- return NULL;
-
if( !this->pvr_running ) {
xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, "input_pvr: thread died, aborting\n");
return NULL;
}
+ buf = fifo->buffer_pool_alloc (fifo);
+ if (todo < 0 || todo > buf->size) {
+ buf->free_buffer(buf);
+ return NULL;
+ }
+
if( this->scr_tunning == -2 )
speed = this->speed_before_pause;
@@ -1233,7 +1236,6 @@
pvr_event_handler(this);
- buf = fifo->buffer_pool_alloc (fifo);
buf->content = buf->mem;
pthread_mutex_lock(&this->lock);
diff -u xine-lib-1.1.14/src/demuxers/demux_real.c xine-lib-1.1.14/src/demuxers/demux_real.c
--- xine-lib-1.1.14/src/demuxers/demux_real.c
+++ xine-lib-1.1.14/src/demuxers/demux_real.c
@@ -277,8 +277,12 @@
this->input->seek(this->input, original_pos, SEEK_SET);
}
-static mdpr_t *real_parse_mdpr(const char *data) {
- mdpr_t *mdpr=malloc(sizeof(mdpr_t));
+static mdpr_t *real_parse_mdpr(const char *data, const unsigned int size)
+{
+ if (size < 38)
+ return NULL;
+
+ mdpr_t *mdpr=calloc(sizeof(mdpr_t), 1);
mdpr->stream_number=_X_BE_16(&data[2]);
mdpr->max_bit_rate=_X_BE_32(&data[4]);
@@ -290,17 +294,29 @@
mdpr->duration=_X_BE_32(&data[28]);
mdpr->stream_name_size=data[32];
+ if (size < 38 + mdpr->stream_name_size)
+ goto fail;
mdpr->stream_name=malloc(mdpr->stream_name_size+1);
+ if (!mdpr->stream_name)
+ goto fail;
memcpy(mdpr->stream_name, &data[33], mdpr->stream_name_size);
mdpr->stream_name[(int)mdpr->stream_name_size]=0;
mdpr->mime_type_size=data[33+mdpr->stream_name_size];
+ if (size < 38 + mdpr->stream_name_size + mdpr->mime_type_size)
+ goto fail;
mdpr->mime_type=malloc(mdpr->mime_type_size+1);
+ if (!mdpr->mime_type)
+ goto fail;
memcpy(mdpr->mime_type, &data[34+mdpr->stream_name_size], mdpr->mime_type_size);
mdpr->mime_type[(int)mdpr->mime_type_size]=0;
mdpr->type_specific_len=_X_BE_32(&data[34+mdpr->stream_name_size+mdpr->mime_type_size]);
+ if (size < 38 + mdpr->stream_name_size + mdpr->mime_type_size + mdpr->type_specific_data)
+ goto fail;
mdpr->type_specific_data=malloc(mdpr->type_specific_len);
+ if (!mdpr->type_specific_data)
+ goto fail;
memcpy(mdpr->type_specific_data,
&data[38+mdpr->stream_name_size+mdpr->mime_type_size], mdpr->type_specific_len);
@@ -320,6 +336,13 @@
#endif
return mdpr;
+
+fail:
+ free (mdpr->stream_name);
+ free (mdpr->mime_type);
+ free (mdpr->type_specific_data);
+ free (mdpr);
+ return NULL;
}
static void real_free_mdpr (mdpr_t *mdpr) {
@@ -503,9 +526,14 @@
continue;
}
- mdpr_t *const mdpr = real_parse_mdpr (chunk_buffer);
+ mdpr_t *const mdpr = real_parse_mdpr (chunk_buffer, chunk_size);
lprintf ("parsing type specific data...\n");
+ if (!mdpr) {
+ free (chunk_buffer);
+ this->status = DEMUX_FINISHED;
+ return;
+ }
if(!strcmp(mdpr->mime_type, "audio/X-MP3-draft-00")) {
lprintf ("mpeg layer 3 audio detected...\n");
diff -u xine-lib-1.1.14/debian/control xine-lib-1.1.14/debian/control
--- xine-lib-1.1.14/debian/control
+++ xine-lib-1.1.14/debian/control
@@ -23,8 +23,8 @@
libmad0-dev, libmpcdec-dev, libcdio-dev (>= 0.76),
zlib1g-dev, w3m, transfig, sgmltools-lite,
ghostscript | gs-gpl | gs
-XS-Vcs-hg: http://hg.debian.org/hg/xine-lib/pkg/xine-lib-deb
-XS-Vcs-Browser: http://hg.debian.org/hg/xine-lib/pkg/xine-lib-deb
+XS-Vcs-hg: http://hg.debian.org/hg/xine-lib/pkg/xine-lib-deb-lenny
+XS-Vcs-Browser: http://hg.debian.org/hg/xine-lib/pkg/xine-lib-deb-lenny
XS-DM-Upload-Allowed: yes
Homepage: http://xinehq.de/
Standards-Version: 3.8.0
diff -u xine-lib-1.1.14/debian/changelog xine-lib-1.1.14/debian/changelog
--- xine-lib-1.1.14/debian/changelog
+++ xine-lib-1.1.14/debian/changelog
@@ -1,3 +1,14 @@
+xine-lib (1.1.14-5) testing-proposed-updates; urgency=high
+
+ * Fixes from upstream hg:
+ - Fix a broken size check in the pvr input plugin (ref. CVE-2008-5239).
+ (Closes: #512148)
+ - Add allocation checking to the Real MDPR parser (ref. CVE-2008-5240).
+ (Closes: #508065)
+ * Update the VCS URLs in debian/control.
+
+ -- Darren Salt <linux@youmustbejoking.demon.co.uk> Sun, 18 Jan 2009 16:29:02 +0000
+
xine-lib (1.1.14-4) testing-proposed-updates; urgency=high
* Security fixes backported from 1.1.16:
only in patch2:
unchanged:
--- xine-lib-1.1.14.orig/src/input/libreal/rmff.c
+++ xine-lib-1.1.14/src/input/libreal/rmff.c
@@ -330,12 +330,14 @@
return prop;
}
-static rmff_mdpr_t *rmff_scan_mdpr(const char *data) {
-
- rmff_mdpr_t *mdpr = malloc(sizeof(rmff_mdpr_t));
+static rmff_mdpr_t *rmff_scan_mdpr(const char *data)
+{
+ rmff_mdpr_t *mdpr = calloc(sizeof(rmff_mdpr_t), 1);
mdpr->object_id=_X_BE_32(data);
mdpr->size=_X_BE_32(&data[4]);
+ if (mdpr->size < 46)
+ goto fail;
mdpr->object_version=_X_BE_16(&data[8]);
if (mdpr->object_version != 0)
{
@@ -351,21 +353,40 @@
mdpr->duration=_X_BE_32(&data[36]);
mdpr->stream_name_size=data[40];
+ if (mdpr->size < 46 + mdpr->stream_name_size)
+ goto fail;
mdpr->stream_name = malloc(mdpr->stream_name_size+1);
+ if (!mdpr->stream_name)
+ goto fail;
memcpy(mdpr->stream_name, &data[41], mdpr->stream_name_size);
mdpr->stream_name[mdpr->stream_name_size]=0;
mdpr->mime_type_size=data[41+mdpr->stream_name_size];
+ if (mdpr->size < 46 + mdpr->stream_name_size + mdpr->mime_type_size)
+ goto fail;
mdpr->mime_type = malloc(mdpr->mime_type_size+1);
+ if (!mdpr->mime_type)
+ goto fail;
memcpy(mdpr->mime_type, &data[42+mdpr->stream_name_size], mdpr->mime_type_size);
mdpr->mime_type[mdpr->mime_type_size]=0;
mdpr->type_specific_len=_X_BE_32(&data[42+mdpr->stream_name_size+mdpr->mime_type_size]);
+ if (mdpr->size < 46 + mdpr->stream_name_size + mdpr->mime_type_size + mdpr->type_specific_data)
+ goto fail;
mdpr->type_specific_data = malloc(mdpr->type_specific_len);
+ if (!mdpr->type_specific_data)
+ goto fail;
memcpy(mdpr->type_specific_data,
&data[46+mdpr->stream_name_size+mdpr->mime_type_size], mdpr->type_specific_len);
return mdpr;
+
+fail:
+ free (mdpr->stream_name);
+ free (mdpr->mime_type);
+ free (mdpr->type_specific_data);
+ free (mdpr);
+ return NULL;
}
static rmff_cont_t *rmff_scan_cont(const char *data) {
@@ -463,8 +484,11 @@
break;
case MDPR_TAG:
mdpr=rmff_scan_mdpr(ptr);
- chunk_size=mdpr->size;
- header->streams[mdpr->stream_number]=mdpr;
+ if (mdpr) /* FIXME: what to do if NULL? */
+ {
+ chunk_size=mdpr->size;
+ header->streams[mdpr->stream_number]=mdpr;
+ }
break;
case CONT_TAG:
header->cont=rmff_scan_cont(ptr);
Reply to: