1 |
aballier 08/08/24 13:10:24 |
2 |
|
3 |
Modified: series |
4 |
Added: |
5 |
410_all_MMS-integers-handling-fixes-including-buffer-overfl.patch |
6 |
Log: |
7 |
add upstream patch for bug #235589 |
8 |
|
9 |
Revision Changes Path |
10 |
1.3 src/patchsets/vlc/0.8.6i/series |
11 |
|
12 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/vlc/0.8.6i/series?rev=1.3&view=markup |
13 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/vlc/0.8.6i/series?rev=1.3&content-type=text/plain |
14 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/vlc/0.8.6i/series?r1=1.2&r2=1.3 |
15 |
|
16 |
Index: series |
17 |
=================================================================== |
18 |
RCS file: /var/cvsroot/gentoo/src/patchsets/vlc/0.8.6i/series,v |
19 |
retrieving revision 1.2 |
20 |
retrieving revision 1.3 |
21 |
diff -u -r1.2 -r1.3 |
22 |
--- series 22 Aug 2008 08:55:31 -0000 1.2 |
23 |
+++ series 24 Aug 2008 13:10:23 -0000 1.3 |
24 |
@@ -16,3 +16,4 @@ |
25 |
380_all_TTA-Sanity-check-to-avoid-overflow-and-typo.patch |
26 |
390_all_Kill-a-warning-and-put-i_datalength-as-an-uint32_t.patch |
27 |
400_all_Fix-previous-commits.patch |
28 |
+410_all_MMS-integers-handling-fixes-including-buffer-overfl.patch |
29 |
|
30 |
|
31 |
|
32 |
1.1 src/patchsets/vlc/0.8.6i/410_all_MMS-integers-handling-fixes-including-buffer-overfl.patch |
33 |
|
34 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/vlc/0.8.6i/410_all_MMS-integers-handling-fixes-including-buffer-overfl.patch?rev=1.1&view=markup |
35 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/vlc/0.8.6i/410_all_MMS-integers-handling-fixes-including-buffer-overfl.patch?rev=1.1&content-type=text/plain |
36 |
|
37 |
Index: 410_all_MMS-integers-handling-fixes-including-buffer-overfl.patch |
38 |
=================================================================== |
39 |
From 2947f778df4f440ceeb6f5dc1bdb0e9f5cd31e74 Mon Sep 17 00:00:00 2001 |
40 |
From: =?utf-8?q?R=C3=A9mi=20Denis-Courmont?= <rdenis@××××××××××××.com> |
41 |
Date: Sun, 24 Aug 2008 13:18:01 +0300 |
42 |
Subject: [PATCH] MMS integers handling fixes, including buffer overflow |
43 |
MIME-Version: 1.0 |
44 |
Content-Type: text/plain; charset=utf-8 |
45 |
Content-Transfer-Encoding: 8bit |
46 |
|
47 |
Pointed-out-by: Pınar Yanardağ |
48 |
(cherry picked from commit afe3464a1c7c6f9d7640a3f5db17010c34212440) |
49 |
|
50 |
Conflicts: |
51 |
|
52 |
modules/access/mms/mmstu.c |
53 |
--- |
54 |
modules/access/mms/mmstu.c | 19 ++++++++++--------- |
55 |
modules/access/mms/mmstu.h | 6 +++--- |
56 |
2 files changed, 13 insertions(+), 12 deletions(-) |
57 |
|
58 |
diff --git a/modules/access/mms/mmstu.c b/modules/access/mms/mmstu.c |
59 |
index 61f9e38..df5ec78 100644 |
60 |
--- a/modules/access/mms/mmstu.c |
61 |
+++ b/modules/access/mms/mmstu.c |
62 |
@@ -28,6 +28,7 @@ |
63 |
#include <stdlib.h> |
64 |
#include <vlc/vlc.h> |
65 |
#include <string.h> |
66 |
+#include <inttypes.h> |
67 |
#include <vlc/input.h> |
68 |
#include <errno.h> |
69 |
|
70 |
@@ -695,7 +696,7 @@ static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto ) |
71 |
GetDWLE( p_sys->p_cmd + MMS_CMD_HEADERSIZE + 60 ); |
72 |
|
73 |
msg_Dbg( p_access, |
74 |
- "answer 0x06 flags:0x%8.8x media_length:%us packet_length:%lu packet_count:%u max_bit_rate:%d header_size:%d", |
75 |
+ "answer 0x06 flags:0x%8.8"PRIx32" media_length:%"PRIu32"s packet_length:%zu packet_count:%"PRIu32" max_bit_rate:%d header_size:%zu", |
76 |
p_sys->i_flags_broadcast, |
77 |
p_sys->i_media_length, |
78 |
p_sys->i_packet_length, |
79 |
@@ -749,12 +750,12 @@ static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto ) |
80 |
if( p_sys->i_header >= p_sys->i_header_size ) |
81 |
{ |
82 |
msg_Dbg( p_access, |
83 |
- "header complete(%d)", |
84 |
+ "header complete(%zu)", |
85 |
p_sys->i_header ); |
86 |
break; |
87 |
} |
88 |
msg_Dbg( p_access, |
89 |
- "header incomplete (%d/%d), reading more", |
90 |
+ "header incomplete (%zu/%zu), reading more", |
91 |
p_sys->i_header, |
92 |
p_sys->i_header_size ); |
93 |
} |
94 |
@@ -1128,7 +1129,7 @@ static int NetFillBuffer( access_t *p_access ) |
95 |
|
96 |
static int mms_ParseCommand( access_t *p_access, |
97 |
uint8_t *p_data, |
98 |
- int i_data, |
99 |
+ size_t i_data, |
100 |
int *pi_used ) |
101 |
{ |
102 |
#define GET32( i_pos ) \ |
103 |
@@ -1137,7 +1138,7 @@ static int mms_ParseCommand( access_t *p_access, |
104 |
( p_sys->p_cmd[i_pos + 3] << 24 ) ) |
105 |
|
106 |
access_sys_t *p_sys = p_access->p_sys; |
107 |
- int i_length; |
108 |
+ uint32_t i_length; |
109 |
uint32_t i_id; |
110 |
|
111 |
if( p_sys->p_cmd ) |
112 |
@@ -1159,10 +1160,10 @@ static int mms_ParseCommand( access_t *p_access, |
113 |
i_id = GetDWLE( p_data + 4 ); |
114 |
i_length = GetDWLE( p_data + 8 ) + 16; |
115 |
|
116 |
- if( i_id != 0xb00bface ) |
117 |
+ if( i_id != 0xb00bface || i_length < 16 ) |
118 |
{ |
119 |
msg_Err( p_access, |
120 |
- "incorrect command header (0x%x)", i_id ); |
121 |
+ "incorrect command header (0x%"PRIx32")", i_id ); |
122 |
p_sys->i_command = 0; |
123 |
return -1; |
124 |
} |
125 |
@@ -1170,8 +1171,8 @@ static int mms_ParseCommand( access_t *p_access, |
126 |
if( i_length > p_sys->i_cmd ) |
127 |
{ |
128 |
msg_Warn( p_access, |
129 |
- "truncated command (missing %d bytes)", |
130 |
- i_length - i_data ); |
131 |
+ "truncated command (missing %zu bytes)", |
132 |
+ (size_t)i_length - i_data ); |
133 |
p_sys->i_command = 0; |
134 |
return -1; |
135 |
} |
136 |
diff --git a/modules/access/mms/mmstu.h b/modules/access/mms/mmstu.h |
137 |
index b265127..8d41fe7 100644 |
138 |
--- a/modules/access/mms/mmstu.h |
139 |
+++ b/modules/access/mms/mmstu.h |
140 |
@@ -62,10 +62,10 @@ struct access_sys_t |
141 |
int i_packet_seq_num; |
142 |
|
143 |
uint8_t *p_cmd; /* latest command read */ |
144 |
- int i_cmd; /* allocated at the begining */ |
145 |
+ size_t i_cmd; /* allocated at the begining */ |
146 |
|
147 |
uint8_t *p_header; /* allocated by mms_ReadPacket */ |
148 |
- int i_header; |
149 |
+ size_t i_header; |
150 |
|
151 |
uint8_t *p_media; /* allocated by mms_ReadPacket */ |
152 |
size_t i_media; |
153 |
@@ -86,7 +86,7 @@ struct access_sys_t |
154 |
size_t i_packet_length; |
155 |
uint32_t i_packet_count; |
156 |
int i_max_bit_rate; |
157 |
- int i_header_size; |
158 |
+ size_t i_header_size; |
159 |
|
160 |
/* */ |
161 |
vlc_bool_t b_seekable; |
162 |
-- |
163 |
1.6.0 |