Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 166868 Details for
Bug 239130
media-video/mplayer <1.0_rc2_p27725-r1 Real demuxer heap overflow (CVE-2008-3827)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
The patch was released..
mplayer_demux_real.patch (text/plain), 1.54 KB, created by
Leo Jackson
on 2008-09-30 20:51:17 UTC
(
hide
)
Description:
The patch was released..
Filename:
MIME Type:
Creator:
Leo Jackson
Created:
2008-09-30 20:51:17 UTC
Size:
1.54 KB
patch
obsolete
>Index: libmpdemux/demux_real.c >=================================================================== >--- libmpdemux/demux_real.c (revision 27605) >+++ libmpdemux/demux_real.c (working copy) >@@ -947,6 +947,7 @@ > // last fragment! > if(dp_hdr->len!=vpkg_length-vpkg_offset) > mp_msg(MSGT_DEMUX,MSGL_V,"warning! assembled.len=%d frag.len=%d total.len=%d \n",dp->len,vpkg_offset,vpkg_length-vpkg_offset); >+ if (vpkg_offset > dp->len - sizeof(dp_hdr_t) - dp_hdr->len) vpkg_offset = dp->len - sizeof(dp_hdr_t) - dp_hdr->len; > stream_read(demuxer->stream, dp_data+dp_hdr->len, vpkg_offset); > if((dp_data[dp_hdr->len]&0x20) && (sh_video->format==0x30335652)) --dp_hdr->chunks; else > dp_hdr->len+=vpkg_offset; >@@ -970,6 +971,7 @@ > // non-last fragment: > if(dp_hdr->len!=vpkg_offset) > mp_msg(MSGT_DEMUX,MSGL_V,"warning! assembled.len=%d offset=%d frag.len=%d total.len=%d \n",dp->len,vpkg_offset,len,vpkg_length); >+ if (len > dp->len - sizeof(dp_hdr_t) - dp_hdr->len) len = dp->len - sizeof(dp_hdr_t) - dp_hdr->len; > stream_read(demuxer->stream, dp_data+dp_hdr->len, len); > if((dp_data[dp_hdr->len]&0x20) && (sh_video->format==0x30335652)) --dp_hdr->chunks; else > dp_hdr->len+=len; >@@ -992,6 +994,7 @@ > extra[0]=1; extra[1]=0; // offset of the first chunk > if(0x00==(vpkg_header&0xc0)){ > // first fragment: >+ if (len > dp->len - sizeof(dp_hdr_t)) len = dp->len - sizeof(dp_hdr_t); > dp_hdr->len=len; > stream_read(demuxer->stream, dp_data, len); > ds->asf_packet=dp;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=166868">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 239130
: 166868
