1 |
aballier 08/01/28 21:12:19 |
2 |
|
3 |
Modified: series |
4 |
Added: 360_all_CVE-2008-0225.patch |
5 |
370_all_CVE-2008-0295.patch |
6 |
Log: |
7 |
add patches for bug #205299 |
8 |
|
9 |
Revision Changes Path |
10 |
1.3 src/patchsets/vlc/0.8.6c/series |
11 |
|
12 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/vlc/0.8.6c/series?rev=1.3&view=markup |
13 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/vlc/0.8.6c/series?rev=1.3&content-type=text/plain |
14 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/vlc/0.8.6c/series?r1=1.2&r2=1.3 |
15 |
|
16 |
Index: series |
17 |
=================================================================== |
18 |
RCS file: /var/cvsroot/gentoo/src/patchsets/vlc/0.8.6c/series,v |
19 |
retrieving revision 1.2 |
20 |
retrieving revision 1.3 |
21 |
diff -u -r1.2 -r1.3 |
22 |
--- series 10 Jan 2008 22:49:12 -0000 1.2 |
23 |
+++ series 28 Jan 2008 21:12:19 -0000 1.3 |
24 |
@@ -13,3 +13,5 @@ |
25 |
330_all_libdca.patch |
26 |
340_all_format_string_injection_httpd.patch |
27 |
350_all_stack_based_overflow_subtitles.patch |
28 |
+370_all_CVE-2008-0295.patch |
29 |
+360_all_CVE-2008-0225.patch |
30 |
|
31 |
|
32 |
|
33 |
1.1 src/patchsets/vlc/0.8.6c/360_all_CVE-2008-0225.patch |
34 |
|
35 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/vlc/0.8.6c/360_all_CVE-2008-0225.patch?rev=1.1&view=markup |
36 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/vlc/0.8.6c/360_all_CVE-2008-0225.patch?rev=1.1&content-type=text/plain |
37 |
|
38 |
Index: 360_all_CVE-2008-0225.patch |
39 |
=================================================================== |
40 |
Changeset 24247 |
41 |
Timestamp: 01/12/08 00:37:21 |
42 |
Author: thresh |
43 |
Message: |
44 |
Port some fixes from CVE-2008-0225 fix for xine-lib plus some code style |
45 |
fixes. Someone should really review it as it may be not fully fixed. |
46 |
|
47 |
Index: vlc-0.8.6d/modules/access/rtsp/real_rmff.c |
48 |
=================================================================== |
49 |
--- vlc-0.8.6d.orig/modules/access/rtsp/real_rmff.c |
50 |
+++ vlc-0.8.6d/modules/access/rtsp/real_rmff.c |
51 |
@@ -35,157 +35,184 @@ |
52 |
* writes header data to a buffer |
53 |
*/ |
54 |
|
55 |
-static void rmff_dump_fileheader(rmff_fileheader_t *fileheader, char *buffer) { |
56 |
+static int rmff_dump_fileheader(rmff_fileheader_t *fileheader, uint8_t *buffer, int bufsize) { |
57 |
+ if (!fileheader) return 0; |
58 |
+ if (bufsize < RMFF_FILEHEADER_SIZE) |
59 |
+ return -1; |
60 |
+ |
61 |
+ fileheader->object_id=BE_32(&fileheader->object_id); |
62 |
+ fileheader->size=BE_32(&fileheader->size); |
63 |
+ fileheader->object_version=BE_16(&fileheader->object_version); |
64 |
+ fileheader->file_version=BE_32(&fileheader->file_version); |
65 |
+ fileheader->num_headers=BE_32(&fileheader->num_headers); |
66 |
+ |
67 |
+ memcpy(buffer, fileheader, 8); |
68 |
+ memcpy(&buffer[8], &fileheader->object_version, 2); |
69 |
+ memcpy(&buffer[10], &fileheader->file_version, 8); |
70 |
+ |
71 |
+ fileheader->size=BE_32(&fileheader->size); |
72 |
+ fileheader->object_version=BE_16(&fileheader->object_version); |
73 |
+ fileheader->file_version=BE_32(&fileheader->file_version); |
74 |
+ fileheader->num_headers=BE_32(&fileheader->num_headers); |
75 |
+ fileheader->object_id=BE_32(&fileheader->object_id); |
76 |
+ |
77 |
+ return RMFF_FILEHEADER_SIZE; |
78 |
+} |
79 |
+ |
80 |
+static int rmff_dump_prop(rmff_prop_t *prop, uint8_t *buffer, int bufsize) { |
81 |
+ |
82 |
+ if (!prop) return 0; |
83 |
+ |
84 |
+ if (bufsize < RMFF_PROPHEADER_SIZE) |
85 |
+ return -1; |
86 |
+ |
87 |
+ prop->object_id=BE_32(&prop->object_id); |
88 |
+ prop->size=BE_32(&prop->size); |
89 |
+ prop->object_version=BE_16(&prop->object_version); |
90 |
+ prop->max_bit_rate=BE_32(&prop->max_bit_rate); |
91 |
+ prop->avg_bit_rate=BE_32(&prop->avg_bit_rate); |
92 |
+ prop->max_packet_size=BE_32(&prop->max_packet_size); |
93 |
+ prop->avg_packet_size=BE_32(&prop->avg_packet_size); |
94 |
+ prop->num_packets=BE_32(&prop->num_packets); |
95 |
+ prop->duration=BE_32(&prop->duration); |
96 |
+ prop->preroll=BE_32(&prop->preroll); |
97 |
+ prop->index_offset=BE_32(&prop->index_offset); |
98 |
+ prop->data_offset=BE_32(&prop->data_offset); |
99 |
+ prop->num_streams=BE_16(&prop->num_streams); |
100 |
+ prop->flags=BE_16(&prop->flags); |
101 |
+ |
102 |
+ memcpy(buffer, prop, 8); |
103 |
+ memcpy(&buffer[8], &prop->object_version, 2); |
104 |
+ memcpy(&buffer[10], &prop->max_bit_rate, 36); |
105 |
+ memcpy(&buffer[46], &prop->num_streams, 2); |
106 |
+ memcpy(&buffer[48], &prop->flags, 2); |
107 |
+ |
108 |
+ prop->size=BE_32(&prop->size); |
109 |
+ prop->object_version=BE_16(&prop->object_version); |
110 |
+ prop->max_bit_rate=BE_32(&prop->max_bit_rate); |
111 |
+ prop->avg_bit_rate=BE_32(&prop->avg_bit_rate); |
112 |
+ prop->max_packet_size=BE_32(&prop->max_packet_size); |
113 |
+ prop->avg_packet_size=BE_32(&prop->avg_packet_size); |
114 |
+ prop->num_packets=BE_32(&prop->num_packets); |
115 |
+ prop->duration=BE_32(&prop->duration); |
116 |
+ prop->preroll=BE_32(&prop->preroll); |
117 |
+ prop->index_offset=BE_32(&prop->index_offset); |
118 |
+ prop->data_offset=BE_32(&prop->data_offset); |
119 |
+ prop->num_streams=BE_16(&prop->num_streams); |
120 |
+ prop->flags=BE_16(&prop->flags); |
121 |
+ prop->object_id=BE_32(&prop->object_id); |
122 |
+ |
123 |
+ return RMFF_PROPHEADER_SIZE; |
124 |
+} |
125 |
+ |
126 |
+static int rmff_dump_mdpr(rmff_mdpr_t *mdpr, uint8_t *buffer, int bufsize) { |
127 |
+ |
128 |
+ int s1, s2, s3; |
129 |
+ |
130 |
+ if (!mdpr) return 0; |
131 |
+ if (bufsize < RMFF_MDPRHEADER_SIZE + mdpr->type_specific_len + |
132 |
+ mdpr->stream_name_size + mdpr->mime_type_size) |
133 |
+ return -1; |
134 |
+ |
135 |
+ mdpr->object_id=BE_32(&mdpr->object_id); |
136 |
+ mdpr->size=BE_32(&mdpr->size); |
137 |
+ mdpr->object_version=BE_16(&mdpr->object_version); |
138 |
+ mdpr->stream_number=BE_16(&mdpr->stream_number); |
139 |
+ mdpr->max_bit_rate=BE_32(&mdpr->max_bit_rate); |
140 |
+ mdpr->avg_bit_rate=BE_32(&mdpr->avg_bit_rate); |
141 |
+ mdpr->max_packet_size=BE_32(&mdpr->max_packet_size); |
142 |
+ mdpr->avg_packet_size=BE_32(&mdpr->avg_packet_size); |
143 |
+ mdpr->start_time=BE_32(&mdpr->start_time); |
144 |
+ mdpr->preroll=BE_32(&mdpr->preroll); |
145 |
+ mdpr->duration=BE_32(&mdpr->duration); |
146 |
+ |
147 |
+ memcpy(buffer, mdpr, 8); |
148 |
+ memcpy(&buffer[8], &mdpr->object_version, 2); |
149 |
+ memcpy(&buffer[10], &mdpr->stream_number, 2); |
150 |
+ memcpy(&buffer[12], &mdpr->max_bit_rate, 28); |
151 |
+ memcpy(&buffer[40], &mdpr->stream_name_size, 1); |
152 |
+ s1=mdpr->stream_name_size; |
153 |
+ memcpy(&buffer[41], mdpr->stream_name, s1); |
154 |
+ |
155 |
+ memcpy(&buffer[41+s1], &mdpr->mime_type_size, 1); |
156 |
+ s2=mdpr->mime_type_size; |
157 |
+ memcpy(&buffer[42+s1], mdpr->mime_type, s2); |
158 |
+ |
159 |
+ mdpr->type_specific_len=BE_32(&mdpr->type_specific_len); |
160 |
+ memcpy(&buffer[42+s1+s2], &mdpr->type_specific_len, 4); |
161 |
+ mdpr->type_specific_len=BE_32(&mdpr->type_specific_len); |
162 |
+ s3=mdpr->type_specific_len; |
163 |
+ memcpy(&buffer[46+s1+s2], mdpr->type_specific_data, s3); |
164 |
+ |
165 |
+ mdpr->size=BE_32(&mdpr->size); |
166 |
+ mdpr->stream_number=BE_16(&mdpr->stream_number); |
167 |
+ mdpr->max_bit_rate=BE_32(&mdpr->max_bit_rate); |
168 |
+ mdpr->avg_bit_rate=BE_32(&mdpr->avg_bit_rate); |
169 |
+ mdpr->max_packet_size=BE_32(&mdpr->max_packet_size); |
170 |
+ mdpr->avg_packet_size=BE_32(&mdpr->avg_packet_size); |
171 |
+ mdpr->start_time=BE_32(&mdpr->start_time); |
172 |
+ mdpr->preroll=BE_32(&mdpr->preroll); |
173 |
+ mdpr->duration=BE_32(&mdpr->duration); |
174 |
+ mdpr->object_id=BE_32(&mdpr->object_id); |
175 |
+ |
176 |
+ return RMFF_MDPRHEADER_SIZE + s1 + s2 + s3; |
177 |
+} |
178 |
+ |
179 |
+static int rmff_dump_cont(rmff_cont_t *cont, uint8_t *buffer, int bufsize) { |
180 |
+ |
181 |
+ int p; |
182 |
+ |
183 |
+ if (!cont) return 0; |
184 |
+ |
185 |
+ if (bufsize < RMFF_CONTHEADER_SIZE + cont->title_len + cont->author_len + \ |
186 |
+ cont->copyright_len + cont->comment_len) |
187 |
+ return -1; |
188 |
+ |
189 |
+ cont->object_id=BE_32(&cont->object_id); |
190 |
+ cont->size=BE_32(&cont->size); |
191 |
+ cont->object_version=BE_16(&cont->object_version); |
192 |
+ |
193 |
+ memcpy(buffer, cont, 8); |
194 |
+ memcpy(&buffer[8], &cont->object_version, 2); |
195 |
+ |
196 |
+ cont->title_len=BE_16(&cont->title_len); |
197 |
+ memcpy(&buffer[10], &cont->title_len, 2); |
198 |
+ cont->title_len=BE_16(&cont->title_len); |
199 |
+ memcpy(&buffer[12], cont->title, cont->title_len); |
200 |
+ p=12+cont->title_len; |
201 |
+ |
202 |
+ cont->author_len=BE_16(&cont->author_len); |
203 |
+ memcpy(&buffer[p], &cont->author_len, 2); |
204 |
+ cont->author_len=BE_16(&cont->author_len); |
205 |
+ memcpy(&buffer[p+2], cont->author, cont->author_len); |
206 |
+ p+=2+cont->author_len; |
207 |
+ |
208 |
+ cont->copyright_len=BE_16(&cont->copyright_len); |
209 |
+ memcpy(&buffer[p], &cont->copyright_len, 2); |
210 |
+ cont->copyright_len=BE_16(&cont->copyright_len); |
211 |
+ memcpy(&buffer[p+2], cont->copyright, cont->copyright_len); |
212 |
+ p+=2+cont->copyright_len; |
213 |
+ |
214 |
+ cont->comment_len=BE_16(&cont->comment_len); |
215 |
+ memcpy(&buffer[p], &cont->comment_len, 2); |
216 |
+ cont->comment_len=BE_16(&cont->comment_len); |
217 |
+ memcpy(&buffer[p+2], cont->comment, cont->comment_len); |
218 |
+ |
219 |
+ cont->size=BE_32(&cont->size); |
220 |
+ cont->object_version=BE_16(&cont->object_version); |
221 |
+ cont->object_id=BE_32(&cont->object_id); |
222 |
+ |
223 |
+ return RMFF_CONTHEADER_SIZE + cont->title_len + cont->author_len + \ |
224 |
+ cont->copyright_len + cont->comment_len; |
225 |
+} |
226 |
+ |
227 |
+static int rmff_dump_dataheader(rmff_data_t *data, uint8_t *buffer, int bufsize) { |
228 |
+ |
229 |
+ if (!data) return 0; |
230 |
+ |
231 |
+ if (bufsize < RMFF_DATAHEADER_SIZE) |
232 |
+ return -1; |
233 |
|
234 |
- if (!fileheader) return; |
235 |
- fileheader->object_id=BE_32(&fileheader->object_id); |
236 |
- fileheader->size=BE_32(&fileheader->size); |
237 |
- fileheader->object_version=BE_16(&fileheader->object_version); |
238 |
- fileheader->file_version=BE_32(&fileheader->file_version); |
239 |
- fileheader->num_headers=BE_32(&fileheader->num_headers); |
240 |
- |
241 |
- memcpy(buffer, fileheader, 8); |
242 |
- memcpy(&buffer[8], &fileheader->object_version, 2); |
243 |
- memcpy(&buffer[10], &fileheader->file_version, 8); |
244 |
- |
245 |
- fileheader->size=BE_32(&fileheader->size); |
246 |
- fileheader->object_version=BE_16(&fileheader->object_version); |
247 |
- fileheader->file_version=BE_32(&fileheader->file_version); |
248 |
- fileheader->num_headers=BE_32(&fileheader->num_headers); |
249 |
- fileheader->object_id=BE_32(&fileheader->object_id); |
250 |
-} |
251 |
- |
252 |
-static void rmff_dump_prop(rmff_prop_t *prop, char *buffer) { |
253 |
- |
254 |
- if (!prop) return; |
255 |
- prop->object_id=BE_32(&prop->object_id); |
256 |
- prop->size=BE_32(&prop->size); |
257 |
- prop->object_version=BE_16(&prop->object_version); |
258 |
- prop->max_bit_rate=BE_32(&prop->max_bit_rate); |
259 |
- prop->avg_bit_rate=BE_32(&prop->avg_bit_rate); |
260 |
- prop->max_packet_size=BE_32(&prop->max_packet_size); |
261 |
- prop->avg_packet_size=BE_32(&prop->avg_packet_size); |
262 |
- prop->num_packets=BE_32(&prop->num_packets); |
263 |
- prop->duration=BE_32(&prop->duration); |
264 |
- prop->preroll=BE_32(&prop->preroll); |
265 |
- prop->index_offset=BE_32(&prop->index_offset); |
266 |
- prop->data_offset=BE_32(&prop->data_offset); |
267 |
- prop->num_streams=BE_16(&prop->num_streams); |
268 |
- prop->flags=BE_16(&prop->flags); |
269 |
- |
270 |
- memcpy(buffer, prop, 8); |
271 |
- memcpy(&buffer[8], &prop->object_version, 2); |
272 |
- memcpy(&buffer[10], &prop->max_bit_rate, 36); |
273 |
- memcpy(&buffer[46], &prop->num_streams, 2); |
274 |
- memcpy(&buffer[48], &prop->flags, 2); |
275 |
- |
276 |
- prop->size=BE_32(&prop->size); |
277 |
- prop->object_version=BE_16(&prop->object_version); |
278 |
- prop->max_bit_rate=BE_32(&prop->max_bit_rate); |
279 |
- prop->avg_bit_rate=BE_32(&prop->avg_bit_rate); |
280 |
- prop->max_packet_size=BE_32(&prop->max_packet_size); |
281 |
- prop->avg_packet_size=BE_32(&prop->avg_packet_size); |
282 |
- prop->num_packets=BE_32(&prop->num_packets); |
283 |
- prop->duration=BE_32(&prop->duration); |
284 |
- prop->preroll=BE_32(&prop->preroll); |
285 |
- prop->index_offset=BE_32(&prop->index_offset); |
286 |
- prop->data_offset=BE_32(&prop->data_offset); |
287 |
- prop->num_streams=BE_16(&prop->num_streams); |
288 |
- prop->flags=BE_16(&prop->flags); |
289 |
- prop->object_id=BE_32(&prop->object_id); |
290 |
-} |
291 |
- |
292 |
-static void rmff_dump_mdpr(rmff_mdpr_t *mdpr, char *buffer) { |
293 |
- |
294 |
- int s1, s2, s3; |
295 |
- |
296 |
- if (!mdpr) return; |
297 |
- mdpr->object_id=BE_32(&mdpr->object_id); |
298 |
- mdpr->size=BE_32(&mdpr->size); |
299 |
- mdpr->object_version=BE_16(&mdpr->object_version); |
300 |
- mdpr->stream_number=BE_16(&mdpr->stream_number); |
301 |
- mdpr->max_bit_rate=BE_32(&mdpr->max_bit_rate); |
302 |
- mdpr->avg_bit_rate=BE_32(&mdpr->avg_bit_rate); |
303 |
- mdpr->max_packet_size=BE_32(&mdpr->max_packet_size); |
304 |
- mdpr->avg_packet_size=BE_32(&mdpr->avg_packet_size); |
305 |
- mdpr->start_time=BE_32(&mdpr->start_time); |
306 |
- mdpr->preroll=BE_32(&mdpr->preroll); |
307 |
- mdpr->duration=BE_32(&mdpr->duration); |
308 |
- |
309 |
- memcpy(buffer, mdpr, 8); |
310 |
- memcpy(&buffer[8], &mdpr->object_version, 2); |
311 |
- memcpy(&buffer[10], &mdpr->stream_number, 2); |
312 |
- memcpy(&buffer[12], &mdpr->max_bit_rate, 28); |
313 |
- memcpy(&buffer[40], &mdpr->stream_name_size, 1); |
314 |
- s1=mdpr->stream_name_size; |
315 |
- memcpy(&buffer[41], mdpr->stream_name, s1); |
316 |
- |
317 |
- memcpy(&buffer[41+s1], &mdpr->mime_type_size, 1); |
318 |
- s2=mdpr->mime_type_size; |
319 |
- memcpy(&buffer[42+s1], mdpr->mime_type, s2); |
320 |
- |
321 |
- mdpr->type_specific_len=BE_32(&mdpr->type_specific_len); |
322 |
- memcpy(&buffer[42+s1+s2], &mdpr->type_specific_len, 4); |
323 |
- mdpr->type_specific_len=BE_32(&mdpr->type_specific_len); |
324 |
- s3=mdpr->type_specific_len; |
325 |
- memcpy(&buffer[46+s1+s2], mdpr->type_specific_data, s3); |
326 |
- |
327 |
- mdpr->size=BE_32(&mdpr->size); |
328 |
- mdpr->stream_number=BE_16(&mdpr->stream_number); |
329 |
- mdpr->max_bit_rate=BE_32(&mdpr->max_bit_rate); |
330 |
- mdpr->avg_bit_rate=BE_32(&mdpr->avg_bit_rate); |
331 |
- mdpr->max_packet_size=BE_32(&mdpr->max_packet_size); |
332 |
- mdpr->avg_packet_size=BE_32(&mdpr->avg_packet_size); |
333 |
- mdpr->start_time=BE_32(&mdpr->start_time); |
334 |
- mdpr->preroll=BE_32(&mdpr->preroll); |
335 |
- mdpr->duration=BE_32(&mdpr->duration); |
336 |
- mdpr->object_id=BE_32(&mdpr->object_id); |
337 |
- |
338 |
-} |
339 |
- |
340 |
-static void rmff_dump_cont(rmff_cont_t *cont, char *buffer) { |
341 |
- |
342 |
- int p; |
343 |
- |
344 |
- if (!cont) return; |
345 |
- cont->object_id=BE_32(&cont->object_id); |
346 |
- cont->size=BE_32(&cont->size); |
347 |
- cont->object_version=BE_16(&cont->object_version); |
348 |
- |
349 |
- memcpy(buffer, cont, 8); |
350 |
- memcpy(&buffer[8], &cont->object_version, 2); |
351 |
- |
352 |
- cont->title_len=BE_16(&cont->title_len); |
353 |
- memcpy(&buffer[10], &cont->title_len, 2); |
354 |
- cont->title_len=BE_16(&cont->title_len); |
355 |
- memcpy(&buffer[12], cont->title, cont->title_len); |
356 |
- p=12+cont->title_len; |
357 |
- |
358 |
- cont->author_len=BE_16(&cont->author_len); |
359 |
- memcpy(&buffer[p], &cont->author_len, 2); |
360 |
- cont->author_len=BE_16(&cont->author_len); |
361 |
- memcpy(&buffer[p+2], cont->author, cont->author_len); |
362 |
- p+=2+cont->author_len; |
363 |
- |
364 |
- cont->copyright_len=BE_16(&cont->copyright_len); |
365 |
- memcpy(&buffer[p], &cont->copyright_len, 2); |
366 |
- cont->copyright_len=BE_16(&cont->copyright_len); |
367 |
- memcpy(&buffer[p+2], cont->copyright, cont->copyright_len); |
368 |
- p+=2+cont->copyright_len; |
369 |
- |
370 |
- cont->comment_len=BE_16(&cont->comment_len); |
371 |
- memcpy(&buffer[p], &cont->comment_len, 2); |
372 |
- cont->comment_len=BE_16(&cont->comment_len); |
373 |
- memcpy(&buffer[p+2], cont->comment, cont->comment_len); |
374 |
- |
375 |
- cont->size=BE_32(&cont->size); |
376 |
- cont->object_version=BE_16(&cont->object_version); |
377 |
- cont->object_id=BE_32(&cont->object_id); |
378 |
-} |
379 |
- |
380 |
-static void rmff_dump_dataheader(rmff_data_t *data, char *buffer) { |
381 |
- |
382 |
- if (!data) return; |
383 |
|
384 |
data->object_id=BE_32(&data->object_id); |
385 |
data->size=BE_32(&data->size); |
386 |
@@ -202,33 +229,50 @@ static void rmff_dump_dataheader(rmff_da |
387 |
data->size=BE_32(&data->size); |
388 |
data->object_version=BE_16(&data->object_version); |
389 |
data->object_id=BE_32(&data->object_id); |
390 |
+ |
391 |
+ return RMFF_DATAHEADER_SIZE; |
392 |
} |
393 |
|
394 |
-int rmff_dump_header(rmff_header_t *h, char *buffer, int max) { |
395 |
+int rmff_dump_header(rmff_header_t *h, void *buf_gen, int max) { |
396 |
+ uint8_t *buffer = buf_gen; |
397 |
|
398 |
- int written=0; |
399 |
- rmff_mdpr_t **stream=h->streams; |
400 |
+ int written=0, size; |
401 |
+ rmff_mdpr_t **stream=h->streams; |
402 |
|
403 |
- rmff_dump_fileheader(h->fileheader, &buffer[written]); |
404 |
- written+=h->fileheader->size; |
405 |
- rmff_dump_prop(h->prop, &buffer[written]); |
406 |
- written+=h->prop->size; |
407 |
- rmff_dump_cont(h->cont, &buffer[written]); |
408 |
- written+=h->cont->size; |
409 |
- if (stream) |
410 |
- { |
411 |
- while(*stream) |
412 |
- { |
413 |
- rmff_dump_mdpr(*stream, &buffer[written]); |
414 |
- written+=(*stream)->size; |
415 |
- stream++; |
416 |
+ if ((size=rmff_dump_fileheader(h->fileheader, &buffer[written], max)) < 0) |
417 |
+ return -1; |
418 |
+ |
419 |
+ written += size; |
420 |
+ max -= size; |
421 |
+ |
422 |
+ if ((size=rmff_dump_prop(h->prop, &buffer[written], max)) < 0) |
423 |
+ return -1; |
424 |
+ |
425 |
+ written += size; |
426 |
+ max -= size; |
427 |
+ |
428 |
+ if ((size=rmff_dump_cont(h->cont, &buffer[written], max)) < 0) |
429 |
+ return -1; |
430 |
+ |
431 |
+ written += size; |
432 |
+ max -= size; |
433 |
+ |
434 |
+ if (stream) { |
435 |
+ while(*stream) { |
436 |
+ if ((size=rmff_dump_mdpr(*stream, &buffer[written], max)) < 0) |
437 |
+ return -1; |
438 |
+ written += size; |
439 |
+ max -= size; |
440 |
+ stream++; |
441 |
+ } |
442 |
} |
443 |
- } |
444 |
|
445 |
- rmff_dump_dataheader(h->data, &buffer[written]); |
446 |
- written+=18; |
447 |
+ if ((size=rmff_dump_dataheader(h->data, &buffer[written], max)) < 0) |
448 |
+ return -1; |
449 |
+ |
450 |
+ written+=size; |
451 |
|
452 |
- return written; |
453 |
+ return written; |
454 |
} |
455 |
|
456 |
void rmff_dump_pheader(rmff_pheader_t *h, char *data) { |
457 |
Index: vlc-0.8.6d/modules/access/rtsp/real_rmff.h |
458 |
=================================================================== |
459 |
--- vlc-0.8.6d.orig/modules/access/rtsp/real_rmff.h |
460 |
+++ vlc-0.8.6d/modules/access/rtsp/real_rmff.h |
461 |
@@ -29,6 +29,12 @@ |
462 |
|
463 |
#define RMFF_HEADER_SIZE 0x12 |
464 |
|
465 |
+#define RMFF_FILEHEADER_SIZE 18 |
466 |
+#define RMFF_PROPHEADER_SIZE 50 |
467 |
+#define RMFF_MDPRHEADER_SIZE 46 |
468 |
+#define RMFF_CONTHEADER_SIZE 18 |
469 |
+#define RMFF_DATAHEADER_SIZE 18 |
470 |
+ |
471 |
#define FOURCC_TAG( ch0, ch1, ch2, ch3 ) \ |
472 |
(((long)(unsigned char)(ch3) ) | \ |
473 |
( (long)(unsigned char)(ch2) << 8 ) | \ |
474 |
@@ -234,7 +240,7 @@ int rmff_get_header_size(rmff_header_t * |
475 |
/* |
476 |
* dumps the header <h> to <buffer>. <max> is the size of <buffer> |
477 |
*/ |
478 |
-int rmff_dump_header(rmff_header_t *h, char *buffer, int max); |
479 |
+int rmff_dump_header(rmff_header_t *h, void *buffer, int max); |
480 |
|
481 |
/* |
482 |
* dumps a packet header |
483 |
|
484 |
|
485 |
|
486 |
1.1 src/patchsets/vlc/0.8.6c/370_all_CVE-2008-0295.patch |
487 |
|
488 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/vlc/0.8.6c/370_all_CVE-2008-0295.patch?rev=1.1&view=markup |
489 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/vlc/0.8.6c/370_all_CVE-2008-0295.patch?rev=1.1&content-type=text/plain |
490 |
|
491 |
Index: 370_all_CVE-2008-0295.patch |
492 |
=================================================================== |
493 |
Changeset 24440 |
494 |
Timestamp: 01/20/08 17:56:12 |
495 |
Author: xtophe |
496 |
Message: Avoid buffer overflow. Fix #1442. Refs CVE-2008-0295 CVE-2008-0296 |
497 |
|
498 |
Index: vlc-0.8.6d/modules/access/rtsp/real_sdpplin.c |
499 |
=================================================================== |
500 |
--- vlc-0.8.6d.orig/modules/access/rtsp/real_sdpplin.c |
501 |
+++ vlc-0.8.6d/modules/access/rtsp/real_sdpplin.c |
502 |
@@ -24,6 +24,7 @@ |
503 |
*/ |
504 |
|
505 |
#include "real.h" |
506 |
+#define BUFLEN 32000 |
507 |
|
508 |
/* |
509 |
* Decodes base64 strings (based upon b64 package) |
510 |
@@ -88,7 +89,7 @@ static char *nl(char *data) { |
511 |
return (nlptr) ? nlptr + 1 : NULL; |
512 |
} |
513 |
|
514 |
-static int filter(const char *in, const char *filter, char **out) { |
515 |
+static int filter(const char *in, const char *filter, char **out, size_t outlen) { |
516 |
|
517 |
int flen=strlen(filter); |
518 |
int len; |
519 |
@@ -100,6 +101,11 @@ static int filter(const char *in, const |
520 |
if(in[flen]=='"') flen++; |
521 |
if(in[len-1]==13) len--; |
522 |
if(in[len-1]=='"') len--; |
523 |
+ if( len-flen+1 > outlen ) |
524 |
+ { |
525 |
+ printf("Discarding end of string to avoid overflow"); |
526 |
+ len=outlen+flen-1; |
527 |
+ } |
528 |
memcpy(*out, in+flen, len-flen+1); |
529 |
(*out)[len-flen]=0; |
530 |
return len-flen; |
531 |
@@ -110,8 +116,8 @@ static int filter(const char *in, const |
532 |
static sdpplin_stream_t *sdpplin_parse_stream(char **data) { |
533 |
|
534 |
sdpplin_stream_t *desc = malloc(sizeof(sdpplin_stream_t)); |
535 |
- char *buf = malloc(32000); |
536 |
- char *decoded = malloc(32000); |
537 |
+ char *buf = malloc(BUFLEN); |
538 |
+ char *decoded = malloc(BUFLEN); |
539 |
int handled; |
540 |
|
541 |
if( !desc ) return NULL; |
542 |
@@ -120,7 +126,7 @@ static sdpplin_stream_t *sdpplin_parse_s |
543 |
if( !buf ) goto error; |
544 |
if( !decoded ) goto error; |
545 |
|
546 |
- if (filter(*data, "m=", &buf)) { |
547 |
+ if (filter(*data, "m=", &buf, BUFLEN)) { |
548 |
desc->id = strdup(buf); |
549 |
} else { |
550 |
lprintf("sdpplin: no m= found.\n"); |
551 |
@@ -131,53 +137,53 @@ static sdpplin_stream_t *sdpplin_parse_s |
552 |
while (*data && **data && *data[0]!='m') { |
553 |
handled=0; |
554 |
|
555 |
- if(filter(*data,"a=control:streamid=",&buf)) { |
556 |
+ if(filter(*data,"a=control:streamid=",&buf, BUFLEN)) { |
557 |
desc->stream_id=atoi(buf); |
558 |
handled=1; |
559 |
*data=nl(*data); |
560 |
} |
561 |
- if(filter(*data,"a=MaxBitRate:integer;",&buf)) { |
562 |
+ if(filter(*data,"a=MaxBitRate:integer;",&buf, BUFLEN)) { |
563 |
desc->max_bit_rate=atoi(buf); |
564 |
if (!desc->avg_bit_rate) |
565 |
desc->avg_bit_rate=desc->max_bit_rate; |
566 |
handled=1; |
567 |
*data=nl(*data); |
568 |
} |
569 |
- if(filter(*data,"a=MaxPacketSize:integer;",&buf)) { |
570 |
+ if(filter(*data,"a=MaxPacketSize:integer;",&buf, BUFLEN)) { |
571 |
desc->max_packet_size=atoi(buf); |
572 |
if (!desc->avg_packet_size) |
573 |
desc->avg_packet_size=desc->max_packet_size; |
574 |
handled=1; |
575 |
*data=nl(*data); |
576 |
} |
577 |
- if(filter(*data,"a=StartTime:integer;",&buf)) { |
578 |
+ if(filter(*data,"a=StartTime:integer;",&buf, BUFLEN)) { |
579 |
desc->start_time=atoi(buf); |
580 |
handled=1; |
581 |
*data=nl(*data); |
582 |
} |
583 |
- if(filter(*data,"a=Preroll:integer;",&buf)) { |
584 |
+ if(filter(*data,"a=Preroll:integer;",&buf, BUFLEN)) { |
585 |
desc->preroll=atoi(buf); |
586 |
handled=1; |
587 |
*data=nl(*data); |
588 |
} |
589 |
- if(filter(*data,"a=length:npt=",&buf)) { |
590 |
+ if(filter(*data,"a=length:npt=",&buf, BUFLEN)) { |
591 |
desc->duration=(uint32_t)(atof(buf)*1000); |
592 |
handled=1; |
593 |
*data=nl(*data); |
594 |
} |
595 |
- if(filter(*data,"a=StreamName:string;",&buf)) { |
596 |
+ if(filter(*data,"a=StreamName:string;",&buf, BUFLEN)) { |
597 |
desc->stream_name=strdup(buf); |
598 |
desc->stream_name_size=strlen(desc->stream_name); |
599 |
handled=1; |
600 |
*data=nl(*data); |
601 |
} |
602 |
- if(filter(*data,"a=mimetype:string;",&buf)) { |
603 |
+ if(filter(*data,"a=mimetype:string;",&buf, BUFLEN)) { |
604 |
desc->mime_type=strdup(buf); |
605 |
desc->mime_type_size=strlen(desc->mime_type); |
606 |
handled=1; |
607 |
*data=nl(*data); |
608 |
} |
609 |
- if(filter(*data,"a=OpaqueData:buffer;",&buf)) { |
610 |
+ if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) { |
611 |
decoded = b64_decode(buf, decoded, &(desc->mlti_data_size)); |
612 |
desc->mlti_data = malloc(sizeof(char)*desc->mlti_data_size); |
613 |
memcpy(desc->mlti_data, decoded, desc->mlti_data_size); |
614 |
@@ -185,7 +191,7 @@ static sdpplin_stream_t *sdpplin_parse_s |
615 |
*data=nl(*data); |
616 |
lprintf("mlti_data_size: %i\n", desc->mlti_data_size); |
617 |
} |
618 |
- if(filter(*data,"a=ASMRuleBook:string;",&buf)) { |
619 |
+ if(filter(*data,"a=ASMRuleBook:string;",&buf, BUFLEN)) { |
620 |
desc->asm_rule_book=strdup(buf); |
621 |
handled=1; |
622 |
*data=nl(*data); |
623 |
@@ -216,8 +222,8 @@ sdpplin_t *sdpplin_parse(char *data) { |
624 |
|
625 |
sdpplin_t *desc = malloc(sizeof(sdpplin_t)); |
626 |
sdpplin_stream_t *stream; |
627 |
- char *buf=malloc(3200); |
628 |
- char *decoded=malloc(3200); |
629 |
+ char *buf=malloc(BUFLEN); |
630 |
+ char *decoded=malloc(BUFLEN); |
631 |
int handled; |
632 |
int len; |
633 |
|
634 |
@@ -236,43 +242,43 @@ sdpplin_t *sdpplin_parse(char *data) { |
635 |
while (data && *data) { |
636 |
handled=0; |
637 |
|
638 |
- if (filter(data, "m=", &buf)) { |
639 |
+ if (filter(data, "m=", &buf, BUFLEN)) { |
640 |
stream=sdpplin_parse_stream(&data); |
641 |
lprintf("got data for stream id %u\n", stream->stream_id); |
642 |
desc->stream[stream->stream_id]=stream; |
643 |
continue; |
644 |
} |
645 |
- if(filter(data,"a=Title:buffer;",&buf)) { |
646 |
+ if(filter(data,"a=Title:buffer;",&buf, BUFLEN)) { |
647 |
decoded=b64_decode(buf, decoded, &len); |
648 |
desc->title=strdup(decoded); |
649 |
handled=1; |
650 |
data=nl(data); |
651 |
} |
652 |
- if(filter(data,"a=Author:buffer;",&buf)) { |
653 |
+ if(filter(data,"a=Author:buffer;",&buf, BUFLEN)) { |
654 |
decoded=b64_decode(buf, decoded, &len); |
655 |
desc->author=strdup(decoded); |
656 |
handled=1; |
657 |
data=nl(data); |
658 |
} |
659 |
- if(filter(data,"a=Copyright:buffer;",&buf)) { |
660 |
+ if(filter(data,"a=Copyright:buffer;",&buf, BUFLEN)) { |
661 |
decoded=b64_decode(buf, decoded, &len); |
662 |
desc->copyright=strdup(decoded); |
663 |
handled=1; |
664 |
data=nl(data); |
665 |
} |
666 |
- if(filter(data,"a=Abstract:buffer;",&buf)) { |
667 |
+ if(filter(data,"a=Abstract:buffer;",&buf, BUFLEN)) { |
668 |
decoded=b64_decode(buf, decoded, &len); |
669 |
desc->abstract=strdup(decoded); |
670 |
handled=1; |
671 |
data=nl(data); |
672 |
} |
673 |
- if(filter(data,"a=StreamCount:integer;",&buf)) { |
674 |
+ if(filter(data,"a=StreamCount:integer;",&buf, BUFLEN)) { |
675 |
desc->stream_count=atoi(buf); |
676 |
desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count); |
677 |
handled=1; |
678 |
data=nl(data); |
679 |
} |
680 |
- if(filter(data,"a=Flags:integer;",&buf)) { |
681 |
+ if(filter(data,"a=Flags:integer;",&buf, BUFLEN)) { |
682 |
desc->flags=atoi(buf); |
683 |
handled=1; |
684 |
data=nl(data); |
685 |
|
686 |
|
687 |
|
688 |
-- |
689 |
gentoo-commits@l.g.o mailing list |