Hello community,
here is the log from the commit of package xine-lib
checked in at Thu Nov 23 16:57:52 CET 2006.
--------
--- xine-lib/xine-lib.changes 2006-10-17 00:16:31.000000000 +0200
+++ xine-lib/xine-lib.changes 2006-11-21 18:22:17.000000000 +0100
@@ -1,0 +2,6 @@
+Tue Nov 21 18:04:49 CET 2006 - mhopf@suse.de
+
+- Security fix for #222892: Insufficient validation of AVI headers.
+ CVE-2006-4799 and CVE-2006-4800.
+
+-------------------------------------------------------------------
New:
----
xine-lib-cve-2006-4799.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xine-lib.spec ++++++
--- /var/tmp/diff_new_pack.VvbwIi/_old 2006-11-23 16:53:06.000000000 +0100
+++ /var/tmp/diff_new_pack.VvbwIi/_new 2006-11-23 16:53:06.000000000 +0100
@@ -15,8 +15,8 @@
%define DISTRIBUTABLE 1
Summary: Video Player with Plug-Ins
Version: 1.1.2
-Release: 18
-License: GPL, Other License(s), see package
+Release: 36
+License: GNU General Public License (GPL), Other License(s), see package
Group: Productivity/Multimedia/Video/Players
URL: http://xine.sourceforge.net
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -31,6 +31,7 @@
# nuke socklen_t autoconf, because it breaks e.g. on 10.1 ppc64
Patch4: xine-lib-configure.diff
#Patch19: xine-lib-used-constants.diff
+Patch22: xine-lib-cve-2006-4799.diff
Patch24: xine-lib-mms-fixes-COMMITTED.diff
Patch25: xine-lib-buildfixed-COMMITTED.diff
Patch26: xine-lib-doc-fix-X11R6.diff
@@ -140,6 +141,7 @@
%patch
%patch1
%patch4
+%patch22
%patch24
%patch25
%patch26
@@ -390,6 +392,9 @@
/usr/include/xine.h
%changelog -n xine-lib
+* Tue Nov 21 2006 - mhopf@suse.de
+- Security fix for #222892: Insufficient validation of AVI headers.
+ CVE-2006-4799 and CVE-2006-4800.
* Tue Oct 17 2006 - ro@suse.de
- remove DirectFB from BuildRequires (unused)
* Thu Oct 12 2006 - mhopf@suse.de
@@ -728,7 +733,7 @@
- fix build for 8.1
* Thu Feb 06 2003 - adrian@suse.de
- faad implementation is okay, but there are maybe other copyrights
--> disabled
+ -> disabled
* Tue Feb 04 2003 - adrian@suse.de
- update xine-lib to 1-beta4
- enable aalib support
++++++ xine-lib-cve-2006-4799.diff ++++++
diff -urp ../xine-lib-1.1.2.orig/src/libffmpeg/libavcodec/4xm.c ./src/libffmpeg/libavcodec/4xm.c
--- ../xine-lib-1.1.2.orig/src/libffmpeg/libavcodec/4xm.c 2006-07-09 16:38:06.000000000 +0200
+++ ./src/libffmpeg/libavcodec/4xm.c 2006-11-21 18:14:09.000000000 +0100
@@ -606,7 +606,7 @@ static int decode_frame(AVCodecContext *
int i, frame_4cc, frame_size;
frame_4cc= get32(buf);
- if(buf_size != get32(buf+4)+8){
+ if(buf_size != get32(buf+4)+8 || buf_size < 20){
av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, get32(buf+4));
}
@@ -634,6 +634,10 @@ static int decode_frame(AVCodecContext *
cfrm= &f->cfrm[i];
cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE);
+ if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL
+ av_log(f->avctx, AV_LOG_ERROR, "realloc falure");
+ return -1;
+ }
memcpy(cfrm->data + cfrm->size, buf+20, data_size);
cfrm->size += data_size;
diff -urp ../xine-lib-1.1.2.orig/src/libffmpeg/libavcodec/alac.c ./src/libffmpeg/libavcodec/alac.c
--- ../xine-lib-1.1.2.orig/src/libffmpeg/libavcodec/alac.c 2006-07-09 16:38:06.000000000 +0200
+++ ./src/libffmpeg/libavcodec/alac.c 2006-11-21 18:18:05.000000000 +0100
@@ -84,7 +84,7 @@ static void allocate_buffers(ALACContext
alac->outputsamples_buffer_b = av_malloc(alac->setinfo_max_samples_per_frame * 4);
}
-static void alac_set_info(ALACContext *alac)
+static int alac_set_info(ALACContext *alac)
{
unsigned char *ptr = alac->avctx->extradata;
@@ -92,6 +92,10 @@ static void alac_set_info(ALACContext *a
ptr += 4; /* alac */
ptr += 4; /* 0 ? */
+ if(BE_32(ptr) >= UINT_MAX/4){
+ av_log(alac->avctx, AV_LOG_ERROR, "setinfo_max_samples_per_frame too large\n");
+ return -1;
+ }
alac->setinfo_max_samples_per_frame = BE_32(ptr); /* buffer size / 2 ? */
ptr += 4;
alac->setinfo_7a = *ptr++;
@@ -110,6 +114,8 @@ static void alac_set_info(ALACContext *a
ptr += 4;
allocate_buffers(alac);
+
+ return 0;
}
/* hideously inefficient. could use a bitmask search,
@@ -448,7 +454,10 @@ static int alac_decode_frame(AVCodecCont
ALAC_EXTRADATA_SIZE);
return input_buffer_size;
}
- alac_set_info(alac);
+ if (alac_set_info(alac)) {
+ av_log(NULL, AV_LOG_ERROR, "alac: set_info failed\n");
+ return input_buffer_size;
+ }
alac->context_initialized = 1;
}
diff -urp ../xine-lib-1.1.2.orig/src/libffmpeg/libavcodec/shorten.c ./src/libffmpeg/libavcodec/shorten.c
--- ../xine-lib-1.1.2.orig/src/libffmpeg/libavcodec/shorten.c 2006-07-09 16:38:39.000000000 +0200
+++ ./src/libffmpeg/libavcodec/shorten.c 2006-11-21 18:18:05.000000000 +0100
@@ -106,18 +106,27 @@ static int shorten_decode_init(AVCodecCo
return 0;
}
-static void allocate_buffers(ShortenContext *s)
+static int allocate_buffers(ShortenContext *s)
{
int i, chan;
for (chan=0; chan<s->channels; chan++) {
+ if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){
+ av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n");
+ return -1;
+ }
+ if(s->blocksize + s->nwrap >= UINT_MAX/sizeof(int32_t) || s->blocksize + s->nwrap <= (unsigned)s->nwrap){
+ av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n");
+ return -1;
+ }
+
s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));
s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
for (i=0; i<s->nwrap; i++)
s->decoded[chan][i] = 0;
s->decoded[chan] += s->nwrap;
-
}
+ return 0;
}
@@ -324,7 +333,8 @@ static int shorten_decode_frame(AVCodecC
}
s->nwrap = FFMAX(NWRAP, maxnlpc);
- allocate_buffers(s);
+ if (allocate_buffers(s))
+ return -1;
init_offset(s);
diff -urp ../xine-lib-1.1.2.orig/src/libffmpeg/libavcodec/snow.c ./src/libffmpeg/libavcodec/snow.c
--- ../xine-lib-1.1.2.orig/src/libffmpeg/libavcodec/snow.c 2006-07-09 16:38:42.000000000 +0200
+++ ./src/libffmpeg/libavcodec/snow.c 2006-11-21 18:14:40.000000000 +0100
@@ -3771,7 +3771,7 @@ static int decode_header(SnowContext *s)
s->mv_scale= get_symbol(&s->c, s->header_state, 0);
s->qbias= get_symbol(&s->c, s->header_state, 1);
s->block_max_depth= get_symbol(&s->c, s->header_state, 0);
- if(s->block_max_depth > 1){
+ if(s->block_max_depth > 1 || s->block_max_depth < 0){
av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large", s->block_max_depth);
s->block_max_depth= 0;
return -1;
diff -urp ../xine-lib-1.1.2.orig/src/libffmpeg/libavcodec/vorbis.c ./src/libffmpeg/libavcodec/vorbis.c
--- ../xine-lib-1.1.2.orig/src/libffmpeg/libavcodec/vorbis.c 2006-07-09 16:38:45.000000000 +0200
+++ ./src/libffmpeg/libavcodec/vorbis.c 2006-11-21 18:14:59.000000000 +0100
@@ -872,10 +872,17 @@ static int vorbis_parse_id_hdr(vorbis_co
bl1=get_bits(gb, 4);
vc->blocksize_0=(1<
participants (1)
-
root@suse.de