Attachment 160415 Details for Bug 231836 – mplayer-1.0_rc2_p26753-CVE-2008-3162.patch

[patch] mplayer-1.0_rc2_p26753-CVE-2008-3162.patch

mplayer-1.0_rc2_p26753-CVE-2008-3162.patch (text/plain), 2.92 KB, created by Robert Buchholz (RETIRED) on 2008-07-15 03:33:22 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Robert Buchholz (RETIRED)

Created: 2008-07-15 03:33:22 UTC

Size: 2.92 KB

patch

obsolete

>CVE-2008-3162:
>Stack-based buffer overflow in the str_read_packet function in libavformat/psxstr.c
>in FFmpeg before r13993 allows remote attackers to cause a denial of service 
>(application crash) or execute arbitrary code via a crafted STR file that interleaves
>audio and video sectors.
>
>Patch from
>http://svn.mplayerhq.hu/ffmpeg?view=rev&revision=13993
>
>Index: mplayer-1.0_rc2_p26753/libavformat/psxstr.c
>===================================================================
>--- mplayer-1.0_rc2_p26753.orig/libavformat/psxstr.c
>+++ mplayer-1.0_rc2_p26753/libavformat/psxstr.c
>@@ -276,12 +276,23 @@ static int str_read_packet(AVFormatConte
>                 int current_sector = AV_RL16(&sector[0x1C]);
>                 int sector_count   = AV_RL16(&sector[0x1E]);
>                 int frame_size = AV_RL32(&sector[0x24]);
>-                int bytes_to_copy;
>+
>+                if(!(   frame_size>=0
>+                     && current_sector < sector_count
>+                     && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){
>+                    av_log(s, AV_LOG_ERROR, "Invalid parameters %d %d %d\n", current_sector, sector_count, frame_size);
>+                    return AVERROR_INVALIDDATA;
>+                }
>+
> //        printf("%d %d %d\n",current_sector,sector_count,frame_size);
>                 /* if this is the first sector of the frame, allocate a pkt */
>                 pkt = &str->tmp_pkt;
>-                if (current_sector == 0) {
>-                    if (av_new_packet(pkt, frame_size))
>+
>+                if(pkt->size != sector_count*VIDEO_DATA_CHUNK_SIZE){
>+                    if(pkt->data)
>+                        av_log(s, AV_LOG_ERROR, "missmatching sector_count\n");
>+                    av_free_packet(pkt);
>+                    if (av_new_packet(pkt, sector_count*VIDEO_DATA_CHUNK_SIZE))
>                         return AVERROR(EIO);
> 
>                     pkt->pos= url_ftell(pb) - RAW_CD_SECTOR_SIZE;
>@@ -295,15 +306,15 @@ static int str_read_packet(AVFormatConte
>                        str->pts += (90000 / 15);
>                 }
> 
>-                /* load all the constituent chunks in the video packet */
>-                bytes_to_copy = frame_size - current_sector*VIDEO_DATA_CHUNK_SIZE;
>-                if (bytes_to_copy>0) {
>-                    if (bytes_to_copy>VIDEO_DATA_CHUNK_SIZE) bytes_to_copy=VIDEO_DATA_CHUNK_SIZE;
>-                    memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE,
>-                        sector + VIDEO_DATA_HEADER_SIZE, bytes_to_copy);
>-                }
>+                memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE,
>+                       sector + VIDEO_DATA_HEADER_SIZE,
>+                       VIDEO_DATA_CHUNK_SIZE);
>+
>                 if (current_sector == sector_count-1) {
>+                    pkt->size= frame_size;
>                     *ret_pkt = *pkt;
>+                    pkt->data= NULL;
>+                    pkt->size= -1;
>                     return 0;
>                 }
>

Actions: View | Diff

Attachments on bug 231836: 160415