Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 160415 Details for
Bug 231836
media-video/mplayer < 1.0_rc2_p27725 FFmpeg psxstr.c Buffer overflow (CVE-2008-3162)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
mplayer-1.0_rc2_p26753-CVE-2008-3162.patch
mplayer-1.0_rc2_p26753-CVE-2008-3162.patch (text/plain), 2.92 KB, created by
Robert Buchholz (RETIRED)
on 2008-07-15 03:33:22 UTC
(
hide
)
Description:
mplayer-1.0_rc2_p26753-CVE-2008-3162.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2008-07-15 03:33:22 UTC
Size:
2.92 KB
patch
obsolete
>CVE-2008-3162: >Stack-based buffer overflow in the str_read_packet function in libavformat/psxstr.c >in FFmpeg before r13993 allows remote attackers to cause a denial of service >(application crash) or execute arbitrary code via a crafted STR file that interleaves >audio and video sectors. > >Patch from >http://svn.mplayerhq.hu/ffmpeg?view=rev&revision=13993 > >Index: mplayer-1.0_rc2_p26753/libavformat/psxstr.c >=================================================================== >--- mplayer-1.0_rc2_p26753.orig/libavformat/psxstr.c >+++ mplayer-1.0_rc2_p26753/libavformat/psxstr.c >@@ -276,12 +276,23 @@ static int str_read_packet(AVFormatConte > int current_sector = AV_RL16(§or[0x1C]); > int sector_count = AV_RL16(§or[0x1E]); > int frame_size = AV_RL32(§or[0x24]); >- int bytes_to_copy; >+ >+ if(!( frame_size>=0 >+ && current_sector < sector_count >+ && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){ >+ av_log(s, AV_LOG_ERROR, "Invalid parameters %d %d %d\n", current_sector, sector_count, frame_size); >+ return AVERROR_INVALIDDATA; >+ } >+ > // printf("%d %d %d\n",current_sector,sector_count,frame_size); > /* if this is the first sector of the frame, allocate a pkt */ > pkt = &str->tmp_pkt; >- if (current_sector == 0) { >- if (av_new_packet(pkt, frame_size)) >+ >+ if(pkt->size != sector_count*VIDEO_DATA_CHUNK_SIZE){ >+ if(pkt->data) >+ av_log(s, AV_LOG_ERROR, "missmatching sector_count\n"); >+ av_free_packet(pkt); >+ if (av_new_packet(pkt, sector_count*VIDEO_DATA_CHUNK_SIZE)) > return AVERROR(EIO); > > pkt->pos= url_ftell(pb) - RAW_CD_SECTOR_SIZE; >@@ -295,15 +306,15 @@ static int str_read_packet(AVFormatConte > str->pts += (90000 / 15); > } > >- /* load all the constituent chunks in the video packet */ >- bytes_to_copy = frame_size - current_sector*VIDEO_DATA_CHUNK_SIZE; >- if (bytes_to_copy>0) { >- if (bytes_to_copy>VIDEO_DATA_CHUNK_SIZE) bytes_to_copy=VIDEO_DATA_CHUNK_SIZE; >- memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE, >- sector + VIDEO_DATA_HEADER_SIZE, bytes_to_copy); >- } >+ memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE, >+ sector + VIDEO_DATA_HEADER_SIZE, >+ VIDEO_DATA_CHUNK_SIZE); >+ > if (current_sector == sector_count-1) { >+ pkt->size= frame_size; > *ret_pkt = *pkt; >+ pkt->data= NULL; >+ pkt->size= -1; > return 0; > } >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 231836
: 160415