| 1 |
aballier 08/08/24 13:10:24 |
| 2 |
|
| 3 |
Modified: series |
| 4 |
Added: |
| 5 |
410_all_MMS-integers-handling-fixes-including-buffer-overfl.patch |
| 6 |
Log: |
| 7 |
add upstream patch for bug #235589 |
| 8 |
|
| 9 |
Revision Changes Path |
| 10 |
1.3 src/patchsets/vlc/0.8.6i/series |
| 11 |
|
| 12 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/vlc/0.8.6i/series?rev=1.3&view=markup |
| 13 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/vlc/0.8.6i/series?rev=1.3&content-type=text/plain |
| 14 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/vlc/0.8.6i/series?r1=1.2&r2=1.3 |
| 15 |
|
| 16 |
Index: series |
| 17 |
=================================================================== |
| 18 |
RCS file: /var/cvsroot/gentoo/src/patchsets/vlc/0.8.6i/series,v |
| 19 |
retrieving revision 1.2 |
| 20 |
retrieving revision 1.3 |
| 21 |
diff -u -r1.2 -r1.3 |
| 22 |
--- series 22 Aug 2008 08:55:31 -0000 1.2 |
| 23 |
+++ series 24 Aug 2008 13:10:23 -0000 1.3 |
| 24 |
@@ -16,3 +16,4 @@ |
| 25 |
380_all_TTA-Sanity-check-to-avoid-overflow-and-typo.patch |
| 26 |
390_all_Kill-a-warning-and-put-i_datalength-as-an-uint32_t.patch |
| 27 |
400_all_Fix-previous-commits.patch |
| 28 |
+410_all_MMS-integers-handling-fixes-including-buffer-overfl.patch |
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
1.1 src/patchsets/vlc/0.8.6i/410_all_MMS-integers-handling-fixes-including-buffer-overfl.patch |
| 33 |
|
| 34 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/vlc/0.8.6i/410_all_MMS-integers-handling-fixes-including-buffer-overfl.patch?rev=1.1&view=markup |
| 35 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/vlc/0.8.6i/410_all_MMS-integers-handling-fixes-including-buffer-overfl.patch?rev=1.1&content-type=text/plain |
| 36 |
|
| 37 |
Index: 410_all_MMS-integers-handling-fixes-including-buffer-overfl.patch |
| 38 |
=================================================================== |
| 39 |
From 2947f778df4f440ceeb6f5dc1bdb0e9f5cd31e74 Mon Sep 17 00:00:00 2001 |
| 40 |
From: =?utf-8?q?R=C3=A9mi=20Denis-Courmont?= <rdenis@××××××××××××.com> |
| 41 |
Date: Sun, 24 Aug 2008 13:18:01 +0300 |
| 42 |
Subject: [PATCH] MMS integers handling fixes, including buffer overflow |
| 43 |
MIME-Version: 1.0 |
| 44 |
Content-Type: text/plain; charset=utf-8 |
| 45 |
Content-Transfer-Encoding: 8bit |
| 46 |
|
| 47 |
Pointed-out-by: Pınar Yanardağ |
| 48 |
(cherry picked from commit afe3464a1c7c6f9d7640a3f5db17010c34212440) |
| 49 |
|
| 50 |
Conflicts: |
| 51 |
|
| 52 |
modules/access/mms/mmstu.c |
| 53 |
--- |
| 54 |
modules/access/mms/mmstu.c | 19 ++++++++++--------- |
| 55 |
modules/access/mms/mmstu.h | 6 +++--- |
| 56 |
2 files changed, 13 insertions(+), 12 deletions(-) |
| 57 |
|
| 58 |
diff --git a/modules/access/mms/mmstu.c b/modules/access/mms/mmstu.c |
| 59 |
index 61f9e38..df5ec78 100644 |
| 60 |
--- a/modules/access/mms/mmstu.c |
| 61 |
+++ b/modules/access/mms/mmstu.c |
| 62 |
@@ -28,6 +28,7 @@ |
| 63 |
#include <stdlib.h> |
| 64 |
#include <vlc/vlc.h> |
| 65 |
#include <string.h> |
| 66 |
+#include <inttypes.h> |
| 67 |
#include <vlc/input.h> |
| 68 |
#include <errno.h> |
| 69 |
|
| 70 |
@@ -695,7 +696,7 @@ static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto ) |
| 71 |
GetDWLE( p_sys->p_cmd + MMS_CMD_HEADERSIZE + 60 ); |
| 72 |
|
| 73 |
msg_Dbg( p_access, |
| 74 |
- "answer 0x06 flags:0x%8.8x media_length:%us packet_length:%lu packet_count:%u max_bit_rate:%d header_size:%d", |
| 75 |
+ "answer 0x06 flags:0x%8.8"PRIx32" media_length:%"PRIu32"s packet_length:%zu packet_count:%"PRIu32" max_bit_rate:%d header_size:%zu", |
| 76 |
p_sys->i_flags_broadcast, |
| 77 |
p_sys->i_media_length, |
| 78 |
p_sys->i_packet_length, |
| 79 |
@@ -749,12 +750,12 @@ static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto ) |
| 80 |
if( p_sys->i_header >= p_sys->i_header_size ) |
| 81 |
{ |
| 82 |
msg_Dbg( p_access, |
| 83 |
- "header complete(%d)", |
| 84 |
+ "header complete(%zu)", |
| 85 |
p_sys->i_header ); |
| 86 |
break; |
| 87 |
} |
| 88 |
msg_Dbg( p_access, |
| 89 |
- "header incomplete (%d/%d), reading more", |
| 90 |
+ "header incomplete (%zu/%zu), reading more", |
| 91 |
p_sys->i_header, |
| 92 |
p_sys->i_header_size ); |
| 93 |
} |
| 94 |
@@ -1128,7 +1129,7 @@ static int NetFillBuffer( access_t *p_access ) |
| 95 |
|
| 96 |
static int mms_ParseCommand( access_t *p_access, |
| 97 |
uint8_t *p_data, |
| 98 |
- int i_data, |
| 99 |
+ size_t i_data, |
| 100 |
int *pi_used ) |
| 101 |
{ |
| 102 |
#define GET32( i_pos ) \ |
| 103 |
@@ -1137,7 +1138,7 @@ static int mms_ParseCommand( access_t *p_access, |
| 104 |
( p_sys->p_cmd[i_pos + 3] << 24 ) ) |
| 105 |
|
| 106 |
access_sys_t *p_sys = p_access->p_sys; |
| 107 |
- int i_length; |
| 108 |
+ uint32_t i_length; |
| 109 |
uint32_t i_id; |
| 110 |
|
| 111 |
if( p_sys->p_cmd ) |
| 112 |
@@ -1159,10 +1160,10 @@ static int mms_ParseCommand( access_t *p_access, |
| 113 |
i_id = GetDWLE( p_data + 4 ); |
| 114 |
i_length = GetDWLE( p_data + 8 ) + 16; |
| 115 |
|
| 116 |
- if( i_id != 0xb00bface ) |
| 117 |
+ if( i_id != 0xb00bface || i_length < 16 ) |
| 118 |
{ |
| 119 |
msg_Err( p_access, |
| 120 |
- "incorrect command header (0x%x)", i_id ); |
| 121 |
+ "incorrect command header (0x%"PRIx32")", i_id ); |
| 122 |
p_sys->i_command = 0; |
| 123 |
return -1; |
| 124 |
} |
| 125 |
@@ -1170,8 +1171,8 @@ static int mms_ParseCommand( access_t *p_access, |
| 126 |
if( i_length > p_sys->i_cmd ) |
| 127 |
{ |
| 128 |
msg_Warn( p_access, |
| 129 |
- "truncated command (missing %d bytes)", |
| 130 |
- i_length - i_data ); |
| 131 |
+ "truncated command (missing %zu bytes)", |
| 132 |
+ (size_t)i_length - i_data ); |
| 133 |
p_sys->i_command = 0; |
| 134 |
return -1; |
| 135 |
} |
| 136 |
diff --git a/modules/access/mms/mmstu.h b/modules/access/mms/mmstu.h |
| 137 |
index b265127..8d41fe7 100644 |
| 138 |
--- a/modules/access/mms/mmstu.h |
| 139 |
+++ b/modules/access/mms/mmstu.h |
| 140 |
@@ -62,10 +62,10 @@ struct access_sys_t |
| 141 |
int i_packet_seq_num; |
| 142 |
|
| 143 |
uint8_t *p_cmd; /* latest command read */ |
| 144 |
- int i_cmd; /* allocated at the begining */ |
| 145 |
+ size_t i_cmd; /* allocated at the begining */ |
| 146 |
|
| 147 |
uint8_t *p_header; /* allocated by mms_ReadPacket */ |
| 148 |
- int i_header; |
| 149 |
+ size_t i_header; |
| 150 |
|
| 151 |
uint8_t *p_media; /* allocated by mms_ReadPacket */ |
| 152 |
size_t i_media; |
| 153 |
@@ -86,7 +86,7 @@ struct access_sys_t |
| 154 |
size_t i_packet_length; |
| 155 |
uint32_t i_packet_count; |
| 156 |
int i_max_bit_rate; |
| 157 |
- int i_header_size; |
| 158 |
+ size_t i_header_size; |
| 159 |
|
| 160 |
/* */ |
| 161 |
vlc_bool_t b_seekable; |
| 162 |
-- |
| 163 |
1.6.0 |
Archives