r1538 - in /unstable/vlc/debian: changelog patches/409-cue-overflow.diff patches/series
xtophe-guest at users.alioth.debian.org
xtophe-guest at users.alioth.debian.org
Wed Nov 5 22:08:38 UTC 2008
Author: xtophe-guest
Date: Wed Nov 5 22:08:38 2008
New Revision: 1538
URL: http://svn.debian.org/wsvn/pkg-multimedia/?sc=1&rev=1538
Log:
Fix buffer overflow in CUE demuxer (Closes: #504639)
Added:
unstable/vlc/debian/patches/409-cue-overflow.diff
Modified:
unstable/vlc/debian/changelog
unstable/vlc/debian/patches/series
Modified: unstable/vlc/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/changelog?rev=1538&op=diff
==============================================================================
--- unstable/vlc/debian/changelog (original)
+++ unstable/vlc/debian/changelog Wed Nov 5 22:08:38 2008
@@ -1,8 +1,9 @@
-vlc (0.8.6.h-5) UNRELEASED; urgency=low
+vlc (0.8.6.h-5) unstable; urgency=high
* Acknowledge NMU by Nico Golde. Thanks.
-
- -- Christophe Mutricy <xtophe at videolan.org> Tue, 04 Nov 2008 21:55:43 +0100
+ * Fix buffer overflow in CUE demuxer (Closes: #504639)
+
+ -- Christophe Mutricy <xtophe at videolan.org> Wed, 05 Nov 2008 22:02:06 +0100
vlc (0.8.6.h-4.1) unstable; urgency=high
Added: unstable/vlc/debian/patches/409-cue-overflow.diff
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/patches/409-cue-overflow.diff?rev=1538&op=file
==============================================================================
--- unstable/vlc/debian/patches/409-cue-overflow.diff (added)
+++ unstable/vlc/debian/patches/409-cue-overflow.diff Wed Nov 5 22:08:38 2008
@@ -1,0 +1,125 @@
+From: Rémi Denis-Courmont <rdenis at simphalempin.com>
+Date: Tue, 4 Nov 2008 19:31:17 +0000 (+0200)
+Subject: Fix buffer overflow
+X-Git-Tag: 0.9.6~3
+X-Git-Url: http://git.videolan.org/gitweb.cgi?p=vlc.git;a=commitdiff_plain;h=5f63f1562d43f32331006c2c1a61742de031b84d;hp=c486b8e603f4d49a86c4891511e4f99f85bba3b1
+
+Fix buffer overflow
+
+Pointed-out-by. Tobias Klein <tk at trapkit.de>
+---
+
+Index: vlc-0.8.6.h/modules/access/vcd/cdrom.c
+===================================================================
+--- vlc-0.8.6.h.orig/modules/access/vcd/cdrom.c 2008-05-25 20:28:57.000000000 +0200
++++ vlc-0.8.6.h/modules/access/vcd/cdrom.c 2008-11-05 23:08:43.000000000 +0100
+@@ -835,6 +835,7 @@
+ char *psz_vcdfile2 = NULL;
+ char *psz_cuefile = NULL;
+ FILE *cuefile = NULL;
++ int *p_sectors = NULL;
+ char line[1024];
+
+ /* Check if we are dealing with a .cue file */
+@@ -880,7 +881,6 @@
+ cuefile = utf8_fopen( psz_cuefile, "rt" );
+ if( cuefile == NULL )
+ {
+- i_ret = -1;
+ msg_Dbg( p_this, "could not find .cue file" );
+ goto error;
+ }
+@@ -921,58 +921,56 @@
+ }
+
+ if( p_vcddev->i_vcdimage_handle == -1)
+- {
+- i_ret = -1;
+ goto error;
+- }
+- else i_ret = 0;
+
+ /* Try to parse the i_tracks and p_sectors info so we can just forget
+ * about the cuefile */
+- if( i_ret == 0 )
++ size_t i_tracks = 0;
++
++ while( fgets( line, 1024, cuefile ) )
+ {
+- int p_sectors[100];
+- int i_tracks = 0;
+- int i_num;
+- char psz_dummy[10];
++ /* look for a TRACK line */
++ char psz_dummy[9];
++ if( !sscanf( line, "%9s", psz_dummy ) || strcmp(psz_dummy, "TRACK") )
++ continue;
+
++ /* look for an INDEX line */
+ while( fgets( line, 1024, cuefile ) )
+ {
+- /* look for a TRACK line */
+- if( !sscanf( line, "%9s", psz_dummy ) ||
+- strcmp(psz_dummy, "TRACK") )
+- continue;
++ int i_num, i_min, i_sec, i_frame;
+
+- /* look for an INDEX line */
+- while( fgets( line, 1024, cuefile ) )
+- {
+- int i_min, i_sec, i_frame;
++ if( (sscanf( line, "%*9s %2u %2u:%2u:%2u", &i_num,
++ &i_min, &i_sec, &i_frame ) != 4) || (i_num != 1) )
++ continue;
+
+- if( (sscanf( line, "%9s %2u %2u:%2u:%2u", psz_dummy, &i_num,
+- &i_min, &i_sec, &i_frame ) != 5) || (i_num != 1) )
+- continue;
+-
+- i_tracks++;
+- p_sectors[i_tracks - 1] = MSF_TO_LBA(i_min, i_sec, i_frame);
+- msg_Dbg( p_this, "vcd track %i begins at sector:%i",
+- i_tracks - 1, p_sectors[i_tracks - 1] );
+- break;
+- }
++ int *buf = realloc (p_sectors, (i_tracks + 1) * sizeof (int));
++ if (buf == NULL)
++ goto error;
++ p_sectors = buf;
++ p_sectors[i_tracks] = MSF_TO_LBA(i_min, i_sec, i_frame);
++ msg_Dbg( p_this, "vcd track %i begins at sector:%i",
++ i_tracks, p_sectors[i_tracks] );
++ i_tracks++;
++ break;
+ }
+-
+- /* fill in the last entry */
+- p_sectors[i_tracks] = lseek(p_vcddev->i_vcdimage_handle, 0, SEEK_END)
+- / VCD_SECTOR_SIZE;
+- msg_Dbg( p_this, "vcd track %i, begins at sector:%i",
+- i_tracks, p_sectors[i_tracks] );
+- p_vcddev->i_tracks = i_tracks;
+- p_vcddev->p_sectors = malloc( (i_tracks + 1) * sizeof(int) );
+- memcpy( p_vcddev->p_sectors, p_sectors, (i_tracks + 1) * sizeof(int) );
+-
+ }
+
++ /* fill in the last entry */
++ int *buf = realloc (p_sectors, (i_tracks + 1) * sizeof (int));
++ if (buf == NULL)
++ goto error;
++ p_sectors = buf;
++ p_sectors[i_tracks] = lseek(p_vcddev->i_vcdimage_handle, 0, SEEK_END)
++ / VCD_SECTOR_SIZE;
++ msg_Dbg( p_this, "vcd track %i, begins at sector:%i",
++ i_tracks, p_sectors[i_tracks] );
++ p_vcddev->i_tracks = ++i_tracks;
++ p_vcddev->p_sectors = p_sectors;
++ i_ret = 0;
++
+ error:
+ if( cuefile ) fclose( cuefile );
++ free( p_sectors );
+ if( psz_cuefile ) free( psz_cuefile );
+ if( psz_vcdfile ) free( psz_vcdfile );
+
Modified: unstable/vlc/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/patches/series?rev=1538&op=diff
==============================================================================
--- unstable/vlc/debian/patches/series (original)
+++ unstable/vlc/debian/patches/series Wed Nov 5 22:08:38 2008
@@ -12,3 +12,4 @@
406-live555-crash.diff
407-mms-overflow.diff
408-CVE-2008-4686.diff
+409-cue-overflow.diff
More information about the pkg-multimedia-commits
mailing list