xine-lib 1.1.14-7 (stable-security)
This is a backport to stable of patches for security bugs and problems caused
by security bug fixes in 1.1.16.3. (Patch attached.)
1.1.16.3-1 will follow soon. libmagick9-dev is installable again (i.e. once
the relevant depends on libltdl3 have gone).
--
| Darren Salt | linux or ds at | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| Kill all extremists!
Don't guess - check your security regulations.
diff -u xine-lib-1.1.14/src/demuxers/demux_qt.c xine-lib-1.1.14/src/demuxers/demux_qt.c
--- xine-lib-1.1.14/src/demuxers/demux_qt.c
+++ xine-lib-1.1.14/src/demuxers/demux_qt.c
@@ -1535,7 +1535,8 @@
} else if (current_atom == STTS_ATOM) {
/* there should only be one of these atoms */
- if (trak->time_to_sample_table) {
+ if (trak->time_to_sample_table
+ || current_atom_size < 12 || current_atom_size >= UINT_MAX) {
last_error = QT_HEADER_TROUBLE;
goto free_trak;
}
@@ -1545,6 +1546,11 @@
debug_atom_load(" qt stts atom (time-to-sample atom): %d entries\n",
trak->time_to_sample_count);
+ if (trak->time_to_sample_count > (current_atom_size - 12) / 8) {
+ last_error = QT_HEADER_TROUBLE;
+ goto free_trak;
+ }
+
trak->time_to_sample_table = (time_to_sample_table_t *)calloc(
trak->time_to_sample_count+1, sizeof(time_to_sample_table_t));
if (!trak->time_to_sample_table) {
diff -u xine-lib-1.1.14/src/demuxers/demux_mpeg_block.c xine-lib-1.1.14/src/demuxers/demux_mpeg_block.c
--- xine-lib-1.1.14/src/demuxers/demux_mpeg_block.c
+++ xine-lib-1.1.14/src/demuxers/demux_mpeg_block.c
@@ -1417,7 +1417,8 @@
}
input->seek(input, 0, SEEK_SET);
- if (input->read(input, this->scratch, this->blocksize) == this->blocksize) {
+ memset (this->scratch, 255, 5); /* result of input->read() won't matter */
+ if (input->read(input, this->scratch, this->blocksize)) {
lprintf("open_plugin:read worked\n");
if (this->scratch[0] || this->scratch[1]
diff -u xine-lib-1.1.14/src/demuxers/demux_4xm.c xine-lib-1.1.14/src/demuxers/demux_4xm.c
--- xine-lib-1.1.14/src/demuxers/demux_4xm.c
+++ xine-lib-1.1.14/src/demuxers/demux_4xm.c
@@ -199,9 +199,9 @@
return 0;
}
current_track = _X_LE_32(&header[i + 8]);
- if (current_track + 1 > fourxm->track_count) {
+ if (current_track >= fourxm->track_count) {
fourxm->track_count = current_track + 1;
- if (fourxm->track_count >= UINT_MAX / sizeof(audio_track_t)) {
+ if (!fourxm->track_count || fourxm->track_count >= UINT_MAX / sizeof(audio_track_t)) {
free(header);
return 0;
}
diff -u xine-lib-1.1.14/debian/control xine-lib-1.1.14/debian/control
--- xine-lib-1.1.14/debian/control
+++ xine-lib-1.1.14/debian/control
@@ -26,7 +26,7 @@
XS-Vcs-hg: http://hg.debian.org/hg/xine-lib/pkg/xine-lib-deb-lenny
XS-Vcs-Browser: http://hg.debian.org/hg/xine-lib/pkg/xine-lib-deb-lenny
XS-DM-Upload-Allowed: yes
-Homepage: http://xinehq.de/
+Homepage: http://xine-project.org/
Standards-Version: 3.8.0
Package: libxine1-doc
diff -u xine-lib-1.1.14/debian/changelog xine-lib-1.1.14/debian/changelog
--- xine-lib-1.1.14/debian/changelog
+++ xine-lib-1.1.14/debian/changelog
@@ -1,8 +1,22 @@
+xine-lib (1.1.14-7) stable-security; urgency=high
+
+ * Security fixes from upstream hg:
+ - Fix another possible int overflow in the 4XM demuxer.
+ (ref. TKADV2009-004, CVE-2009-0698)
+ - Fix an integer overflow in the Quicktime demuxer.
+ (TKADV2009-005) (Closes: #522811)
+ * Fixes from upstream hg:
+ - Fix segfaults when playing VCDs.
+ * Correct the upstream home page; xinehq.de is 410.
+
+ -- Darren Salt <linux@youmustbejoking.demon.co.uk> Mon, 06 Apr 2009 19:18:39 +0100
+
xine-lib (1.1.14-6) testing-proposed-updates; urgency=high
* Security fixes from upstream hg:
- Fix broken size checks in various input plugins (ref. CVE-2008-5239).
- - Fix a possible integer overflow in the 4XM demuxer. (TKADV2009-004.txt)
+ - Fix a possible integer overflow in the 4XM demuxer.
+ (TKADV2009-004, CVE-2009-0698)
* Fixes from upstream hg:
- Fix race conditions in gapless switch (revealed by one of the hang
fixes in -4).
Reply to: