'[xine-cvs] HG: xine-lib-1.2: Merge from 1.1.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xine-cvslog
Subject:    [xine-cvs] HG: xine-lib-1.2: Merge from 1.1.
From:       Darren Salt <linux () youmustbejoking ! demon ! co ! uk>
Date:       2009-01-18 16:36:38
Message-ID: 608e90e5e1608ef2bbee.1232296591 () hg ! debian ! org
[Download RAW message or body]

# HG changeset patch
# User Darren Salt <linux@youmustbejoking.demon.co.uk>
# Date 1232296591 0
# Node ID 608e90e5e1608ef2bbee0b71ec2049b7f6ddf5dd
# Parent  02e8abb940d0d851d9fe008a9e3a2af078267485
# Parent  960687648a92f070d5b4966de4676163cf0cbe89
Merge from 1.1.

diff -r 608e90e5e1608ef2bbee0b71ec2049b7f6ddf5dd -r \
                02e8abb940d0d851d9fe008a9e3a2af078267485 .hgignore
--- a/.hgignore	Sun Jan 18 16:36:31 2009 +0000
+++ b/.hgignore	Sun Jan 18 00:45:42 2009 +0000
@@ -102,6 +102,7 @@ m4/ltversion.m4
 m4/ltversion.m4
 m4/lt~obsolete.m4
 
+misc/Makefile.plugins
 misc/SlackBuild
 misc/build_rpms.sh
 misc/libxine.pc
@@ -119,4 +120,11 @@ po/insert-header.sed
 po/insert-header.sed
 po/remove-potcdate.sed
 
+src/combined/ffmpeg/avcodec_*.list
+src/combined/ffmpeg/ff_*_list.h
+src/libffmpeg/ffmpeg_config.h
+src/video_out/libdha/pci_dev_ids.c
+src/video_out/libdha/pci_ids.h
+src/video_out/libdha/pci_names.[ch]
+src/video_out/libdha/pci_vendors.h
 src/xine-utils/xmltest
diff -r 608e90e5e1608ef2bbee0b71ec2049b7f6ddf5dd -r \
                02e8abb940d0d851d9fe008a9e3a2af078267485 ChangeLog
--- a/ChangeLog	Sun Jan 18 16:36:31 2009 +0000
+++ b/ChangeLog	Sun Jan 18 00:45:42 2009 +0000
@@ -74,6 +74,7 @@ xine-lib (1.1.17) 2009-??-??
   * Enable libmpeg2new. This is not yet production code; the old mpeg2
     decoder remains the default.
   * Fix a broken size check in the pvr input plugin (ref. CVE-2008-5239).
+  * More malloc checking (ref. CVE-2008-5240).
 
 xine-lib (1.1.16.1) 2009-01-11
   * Fix build with older ffmpeg, both internal and in Debian 5.0.
diff -r 608e90e5e1608ef2bbee0b71ec2049b7f6ddf5dd -r \
                02e8abb940d0d851d9fe008a9e3a2af078267485 src/demuxers/demux_real.c
--- a/src/demuxers/demux_real.c	Sun Jan 18 16:36:31 2009 +0000
+++ b/src/demuxers/demux_real.c	Sun Jan 18 00:45:42 2009 +0000
@@ -265,8 +265,12 @@ static void real_parse_index(demux_real_
   this->input->seek(this->input, original_pos, SEEK_SET);
 }
 
-static mdpr_t *real_parse_mdpr(const char *data) {
-  mdpr_t *mdpr=malloc(sizeof(mdpr_t));
+static mdpr_t *real_parse_mdpr(const char *data, const unsigned int size)
+{
+  if (size < 38)
+    return NULL;
+
+  mdpr_t *mdpr=calloc(sizeof(mdpr_t), 1);
 
   mdpr->stream_number=_X_BE_16(&data[2]);
   mdpr->max_bit_rate=_X_BE_32(&data[4]);
@@ -278,13 +282,25 @@ static mdpr_t *real_parse_mdpr(const cha
   mdpr->duration=_X_BE_32(&data[28]);
 
   mdpr->stream_name_size=data[32];
+  if (size < 38 + mdpr->stream_name_size)
+    goto fail;
   mdpr->stream_name=xine_memdup0(&data[33], mdpr->stream_name_size);
+  if (!mdpr->stream_name)
+    goto fail;
 
   mdpr->mime_type_size=data[33+mdpr->stream_name_size];
+  if (size < 38 + mdpr->stream_name_size + mdpr->mime_type_size)
+    goto fail;
   mdpr->mime_type=xine_memdup0(&data[34+mdpr->stream_name_size], \
mdpr->mime_type_size); +  if (!mdpr->mime_type)
+    goto fail;
 
   mdpr->type_specific_len=_X_BE_32(&data[34+mdpr->stream_name_size+mdpr->mime_type_size]);
 +  if (size < 38 + mdpr->stream_name_size + mdpr->mime_type_size + \
mdpr->type_specific_data) +    goto fail;
   mdpr->type_specific_data=xine_memdup(&data[38+mdpr->stream_name_size+mdpr->mime_type_size], \
mdpr->type_specific_len); +  if (!mdpr->type_specific_data)
+    goto fail;
 
   lprintf("MDPR: stream number: %i\n", mdpr->stream_number);
   lprintf("MDPR: maximal bit rate: %i\n", mdpr->max_bit_rate);
@@ -302,6 +318,13 @@ static mdpr_t *real_parse_mdpr(const cha
 #endif
 
   return mdpr;
+
+fail:
+  free (mdpr->stream_name);
+  free (mdpr->mime_type);
+  free (mdpr->type_specific_data);
+  free (mdpr);
+  return NULL;
 }
 
 static void real_free_mdpr (mdpr_t *mdpr) {
@@ -485,9 +508,14 @@ static void real_parse_headers (demux_re
 	    continue;
 	  }
                 
-	  mdpr_t *const mdpr = real_parse_mdpr (chunk_buffer);
+	  mdpr_t *const mdpr = real_parse_mdpr (chunk_buffer, chunk_size);
 
 	  lprintf ("parsing type specific data...\n");
+	  if (!mdpr) {
+	    free (chunk_buffer);
+	    this->status = DEMUX_FINISHED;
+	    return;
+	  }
 	  if(!strcmp(mdpr->mime_type, "audio/X-MP3-draft-00")) {
 	    lprintf ("mpeg layer 3 audio detected...\n");
 
diff -r 608e90e5e1608ef2bbee0b71ec2049b7f6ddf5dd -r \
                02e8abb940d0d851d9fe008a9e3a2af078267485 src/input/libreal/rmff.c
--- a/src/input/libreal/rmff.c	Sun Jan 18 16:36:31 2009 +0000
+++ b/src/input/libreal/rmff.c	Sun Jan 18 00:45:42 2009 +0000
@@ -334,12 +334,14 @@ static rmff_prop_t *rmff_scan_prop(const
   return prop;
 }
 
-static rmff_mdpr_t *rmff_scan_mdpr(const char *data) {
-
-  rmff_mdpr_t *mdpr = malloc(sizeof(rmff_mdpr_t));
+static rmff_mdpr_t *rmff_scan_mdpr(const char *data)
+{
+  rmff_mdpr_t *mdpr = calloc(sizeof(rmff_mdpr_t), 1);
 
   mdpr->object_id=_X_BE_32(data);
   mdpr->size=_X_BE_32(&data[4]);
+  if (mdpr->size < 46)
+    goto fail;
   mdpr->object_version=_X_BE_16(&data[8]);
   if (mdpr->object_version != 0)
   {
@@ -355,15 +357,34 @@ static rmff_mdpr_t *rmff_scan_mdpr(const
   mdpr->duration=_X_BE_32(&data[36]);
   
   mdpr->stream_name_size=data[40];
+  if (mdpr->size < 46 + mdpr->stream_name_size)
+    goto fail;
   mdpr->stream_name = xine_memdup0(&data[41], mdpr->stream_name_size);
+  if (!mdpr->stream_name)
+    goto fail;
   
   mdpr->mime_type_size=data[41+mdpr->stream_name_size];
+  if (mdpr->size < 46 + mdpr->stream_name_size + mdpr->mime_type_size)
+    goto fail;
   mdpr->mime_type = xine_memdup0(&data[42+mdpr->stream_name_size], \
mdpr->mime_type_size); +  if (!mdpr->mime_type)
+    goto fail;
   
   mdpr->type_specific_len=_X_BE_32(&data[42+mdpr->stream_name_size+mdpr->mime_type_size]);
 +  if (mdpr->size < 46 + mdpr->stream_name_size + mdpr->mime_type_size + \
mdpr->type_specific_data) +    goto fail;
   mdpr->type_specific_data = \
xine_memdup(&data[46+mdpr->stream_name_size+mdpr->mime_type_size], \
mdpr->type_specific_len); +  if (!mdpr->type_specific_data)
+    goto fail;
   
   return mdpr;
+
+fail:
+  free (mdpr->stream_name);
+  free (mdpr->mime_type);
+  free (mdpr->type_specific_data);
+  free (mdpr);
+  return NULL;
 }
 
 static rmff_cont_t *rmff_scan_cont(const char *data) {

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Xine-cvslog mailing list
Xine-cvslog@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xine-cvslog


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic