- roll in a SECURITY FIX for SA33650,

which could lead to heap based overflows and memory corruption.

patch taken from upstream git.

ok ajacoutot@
This commit is contained in:
jasper 2009-01-26 12:32:43 +00:00
parent a165a5753e
commit e9e14f1519
2 changed files with 46 additions and 2 deletions

View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.28 2009/01/25 18:55:31 ajacoutot Exp $
# $OpenBSD: Makefile,v 1.29 2009/01/26 12:32:43 jasper Exp $
COMMENT-main = multimedia framework - good plugins
COMMENT-aalib = multimedia framework - aalib plugin
@ -18,7 +18,7 @@ COMMENT-soup = multimedia framework - libsoup plugin
V = 0.10.8
DISTNAME = gst-plugins-good-$V
PKGNAME-main = gstreamer-plugins-good-$Vp7
PKGNAME-main = gstreamer-plugins-good-$Vp8
PKGNAME-aalib = gstreamer-aalib-$Vp0
PKGNAME-cairo = gstreamer-cairo-$Vp1
PKGNAME-gconf = gstreamer-confelements-$Vp1

View File

@ -0,0 +1,44 @@
$OpenBSD: patch-gst_qtdemux_qtdemux_c,v 1.1 2009/01/26 12:32:43 jasper Exp $
Security fix for SA33650, which could lead to heap based overflows and memory corruption.
http://secunia.com/advisories/33650/
Patch taken from upstream git:
http://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=bdc20b9baf13564d9a061343416395f8f9a92b53
--- gst/qtdemux/qtdemux.c.orig Mon Jan 26 13:04:23 2009
+++ gst/qtdemux/qtdemux.c Mon Jan 26 13:06:26 2009
@@ -2842,13 +2842,13 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxSt
stream->min_duration = 0;
time = 0;
index = 0;
- for (i = 0; i < n_sample_times; i++) {
+ for (i = 0; (i < n_sample_times) && (index < stream->n_samples); i++) {
guint32 n;
guint32 duration;
n = QT_UINT32 ((guint8 *) stts->data + 16 + 8 * i);
duration = QT_UINT32 ((guint8 *) stts->data + 16 + 8 * i + 4);
- for (j = 0; j < n; j++) {
+ for (j = 0; (j < n) && (index < stream->n_samples); j++) {
GST_DEBUG_OBJECT (qtdemux, "sample %d: timestamp %" GST_TIME_FORMAT,
index, GST_TIME_ARGS (timestamp));
@@ -2876,7 +2876,7 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxSt
for (i = 0; i < n_sample_syncs; i++) {
/* note that the first sample is index 1, not 0 */
index = QT_UINT32 ((guint8 *) stss->data + offset);
- if (index > 0) {
+ if (index > 0 && index <= stream->n_samples) {
samples[index - 1].keyframe = TRUE;
offset += 4;
}
@@ -2975,7 +2975,7 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxSt
for (i = 0, j = 0; (j < stream->n_samples) && (i < n_entries); i++) {
count = QT_UINT32 (ctts_data + 16 + i * 8);
soffset = QT_UINT32 (ctts_data + 20 + i * 8);
- for (k = 0; k < count; k++, j++) {
+ for (k = 0; (k < count) && (j < stream->n_samples); k++, j++) {
/* we operate with very small soffset values here, it shouldn't overflow */
samples[j].pts_offset = soffset * GST_SECOND / stream->timescale;
}