rpms/xine-lib/EL-5 xine-lib-1.1.8-CVE-2008-0225.patch, NONE, 1.1 xine-lib.spec, 1.15, 1.16
Ville Skytta (scop)
fedora-extras-commits at redhat.com
Sat Jan 12 11:42:21 UTC 2008
Author: scop
Update of /cvs/pkgs/rpms/xine-lib/EL-5
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv10427
Modified Files:
xine-lib.spec
Added Files:
xine-lib-1.1.8-CVE-2008-0225.patch
Log Message:
* Sat Jan 12 2008 Ville Skyttä <ville.skytta at iki.fi> - 1.1.8-7
- Include RTSP security fixes from 1.1.9.1.
xine-lib-1.1.8-CVE-2008-0225.patch:
--- NEW FILE xine-lib-1.1.8-CVE-2008-0225.patch ---
diff -r -Nu xine-lib-1.1.9/src/input/libreal/rmff.c xine-lib-1.1.9.1/src/input/libreal/rmff.c
--- xine-lib-1.1.9/src/input/libreal/rmff.c 2008-01-01 15:30:08.000000000 +0200
+++ xine-lib-1.1.9.1/src/input/libreal/rmff.c 2008-01-11 15:40:28.000000000 +0200
@@ -35,9 +35,13 @@
* writes header data to a buffer
*/
-static void rmff_dump_fileheader(rmff_fileheader_t *fileheader, char *buffer) {
+static int rmff_dump_fileheader(rmff_fileheader_t *fileheader, uint8_t *buffer, int bufsize) {
+
+ if (!fileheader) return 0;
+
+ if (bufsize < RMFF_FILEHEADER_SIZE)
+ return -1;
- if (!fileheader) return;
fileheader->object_id=_X_BE_32(&fileheader->object_id);
fileheader->size=_X_BE_32(&fileheader->size);
fileheader->object_version=_X_BE_16(&fileheader->object_version);
@@ -53,11 +57,17 @@
fileheader->file_version=_X_BE_32(&fileheader->file_version);
fileheader->num_headers=_X_BE_32(&fileheader->num_headers);
fileheader->object_id=_X_BE_32(&fileheader->object_id);
+
+ return RMFF_FILEHEADER_SIZE;
}
-static void rmff_dump_prop(rmff_prop_t *prop, char *buffer) {
+static int rmff_dump_prop(rmff_prop_t *prop, uint8_t *buffer, int bufsize) {
+
+ if (!prop) return 0;
+
+ if (bufsize < RMFF_PROPHEADER_SIZE)
+ return -1;
- if (!prop) return;
prop->object_id=_X_BE_32(&prop->object_id);
prop->size=_X_BE_32(&prop->size);
prop->object_version=_X_BE_16(&prop->object_version);
@@ -93,13 +103,19 @@
prop->num_streams=_X_BE_16(&prop->num_streams);
prop->flags=_X_BE_16(&prop->flags);
prop->object_id=_X_BE_32(&prop->object_id);
+
+ return RMFF_PROPHEADER_SIZE;
}
-static void rmff_dump_mdpr(rmff_mdpr_t *mdpr, char *buffer) {
+static int rmff_dump_mdpr(rmff_mdpr_t *mdpr, uint8_t *buffer, int bufsize) {
int s1, s2, s3;
- if (!mdpr) return;
+ if (!mdpr) return 0;
+
+ if (bufsize < RMFF_MDPRHEADER_SIZE + mdpr->type_specific_len + mdpr->stream_name_size + mdpr->mime_type_size)
+ return -1;
+
mdpr->object_id=_X_BE_32(&mdpr->object_id);
mdpr->size=_X_BE_32(&mdpr->size);
mdpr->object_version=_X_BE_16(&mdpr->object_version);
@@ -141,13 +157,19 @@
mdpr->duration=_X_BE_32(&mdpr->duration);
mdpr->object_id=_X_BE_32(&mdpr->object_id);
+ return RMFF_MDPRHEADER_SIZE + s1 + s2 + s3;
}
-static void rmff_dump_cont(rmff_cont_t *cont, char *buffer) {
+static int rmff_dump_cont(rmff_cont_t *cont, uint8_t *buffer, int bufsize) {
int p;
- if (!cont) return;
+ if (!cont) return 0;
+
+ if (bufsize < RMFF_CONTHEADER_SIZE + cont->title_len + cont->author_len +
+ cont->copyright_len + cont->comment_len)
+ return -1;
+
cont->object_id=_X_BE_32(&cont->object_id);
cont->size=_X_BE_32(&cont->size);
cont->object_version=_X_BE_16(&cont->object_version);
@@ -181,11 +203,18 @@
cont->size=_X_BE_32(&cont->size);
cont->object_version=_X_BE_16(&cont->object_version);
cont->object_id=_X_BE_32(&cont->object_id);
+
+ return RMFF_CONTHEADER_SIZE + cont->title_len + cont->author_len +
+ cont->copyright_len + cont->comment_len;
}
-static void rmff_dump_dataheader(rmff_data_t *data, char *buffer) {
+static int rmff_dump_dataheader(rmff_data_t *data, uint8_t *buffer, int bufsize) {
+
+ if (!data) return 0;
+
+ if (bufsize < RMFF_DATAHEADER_SIZE)
+ return -1;
- if (!data) return;
data->object_id=_X_BE_32(&data->object_id);
data->size=_X_BE_32(&data->size);
data->object_version=_X_BE_16(&data->object_version);
@@ -201,31 +230,43 @@
data->size=_X_BE_32(&data->size);
data->object_version=_X_BE_16(&data->object_version);
data->object_id=_X_BE_32(&data->object_id);
+
+ return RMFF_DATAHEADER_SIZE;
}
-int rmff_dump_header(rmff_header_t *h, char *buffer, int max) {
+int rmff_dump_header(rmff_header_t *h, void *buf_gen, int max) {
+ uint8_t *buffer = buf_gen;
- int written=0;
+ int written=0, size;
rmff_mdpr_t **stream=h->streams;
- rmff_dump_fileheader(h->fileheader, &buffer[written]);
- written+=h->fileheader->size;
- rmff_dump_prop(h->prop, &buffer[written]);
- written+=h->prop->size;
- rmff_dump_cont(h->cont, &buffer[written]);
- written+=h->cont->size;
+ if ((size=rmff_dump_fileheader(h->fileheader, &buffer[written], max)) < 0)
+ return -1;
+ written+=size;
+ max -= size;
+ if ((size=rmff_dump_prop(h->prop, &buffer[written], max)) < 0)
+ return -1;
+ written+=size;
+ max -= size;
+ if ((size=rmff_dump_cont(h->cont, &buffer[written], max)) < 0)
+ return -1;
+ written+=size;
+ max -= size;
if (stream)
{
while(*stream)
{
- rmff_dump_mdpr(*stream, &buffer[written]);
- written+=(*stream)->size;
+ if ((size=rmff_dump_mdpr(*stream, &buffer[written], max)) < 0)
+ return -1;
+ written+=size;
+ max -= size;
stream++;
}
}
- rmff_dump_dataheader(h->data, &buffer[written]);
- written+=18;
+ if ((size=rmff_dump_dataheader(h->data, &buffer[written], max)) < 0)
+ return -1;
+ written+=size;
return written;
}
diff -r -Nu xine-lib-1.1.9/src/input/libreal/rmff.h xine-lib-1.1.9.1/src/input/libreal/rmff.h
--- xine-lib-1.1.9/src/input/libreal/rmff.h 2008-01-01 15:30:08.000000000 +0200
+++ xine-lib-1.1.9.1/src/input/libreal/rmff.h 2008-01-11 17:22:09.000000000 +0200
@@ -39,6 +39,12 @@
#define RMFF_HEADER_SIZE 0x12
+#define RMFF_FILEHEADER_SIZE 18
+#define RMFF_PROPHEADER_SIZE 50
+#define RMFF_MDPRHEADER_SIZE 46
+#define RMFF_CONTHEADER_SIZE 18
+#define RMFF_DATAHEADER_SIZE 18
+
#define FOURCC_TAG( ch0, ch1, ch2, ch3 ) \
(((long)(unsigned char)(ch3) ) | \
( (long)(unsigned char)(ch2) << 8 ) | \
@@ -245,7 +251,7 @@
/*
* dumps the header <h> to <buffer>. <max> is the size of <buffer>
*/
-int rmff_dump_header(rmff_header_t *h, char *buffer, int max);
+int rmff_dump_header(rmff_header_t *h, void *buf_gen, int max);
/*
* dumps a packet header
diff -r -Nu xine-lib-1.1.9/src/input/librtsp/rtsp_session.c xine-lib-1.1.9.1/src/input/librtsp/rtsp_session.c
--- xine-lib-1.1.9/src/input/librtsp/rtsp_session.c 2008-01-01 15:30:08.000000000 +0200
+++ xine-lib-1.1.9.1/src/input/librtsp/rtsp_session.c 2008-01-11 06:11:52.000000000 +0200
@@ -148,6 +148,11 @@
rtsp_session->header_left =
rtsp_session->header_len = rmff_dump_header(h,rtsp_session->header,HEADER_SIZE);
+ if (rtsp_session->header_len < 0) {
+ xprintf (stream->xine, XINE_VERBOSITY_LOG,
+ _("rtsp_session: rtsp server returned overly-large headers, session can not be established.\n"));
+ goto session_abort;
+ }
xine_buffer_copyin(rtsp_session->recv, 0, rtsp_session->header, rtsp_session->header_len);
rtsp_session->recv_size = rtsp_session->header_len;
@@ -157,6 +162,7 @@
{
xprintf(stream->xine, XINE_VERBOSITY_LOG,
_("rtsp_session: rtsp server type '%s' not supported yet. sorry.\n"), server);
+ session_abort:
rtsp_close(rtsp_session->s);
free(server);
xine_buffer_free(rtsp_session->recv);
Index: xine-lib.spec
===================================================================
RCS file: /cvs/pkgs/rpms/xine-lib/EL-5/xine-lib.spec,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- xine-lib.spec 27 Sep 2007 20:24:08 -0000 1.15
+++ xine-lib.spec 12 Jan 2008 11:41:42 -0000 1.16
@@ -33,7 +33,7 @@
Summary: Xine library
Name: xine-lib
Version: 1.1.8
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Libraries
URL: http://xinehq.de/
@@ -46,6 +46,7 @@
# autotools patch created with source2
Patch0: %{name}-%{version}-autotools.patch.bz2
Patch1: %{name}-1.1.4-optflags.patch
+Patch2: %{name}-1.1.8-CVE-2008-0225.patch
Patch6: %{name}-1.1.1-deepbind-939.patch
Patch7: %{name}-1.1.5-multilib-devel.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -161,6 +162,7 @@
touch -r m4/optimizations.m4 m4/optimizations.m4.stamp
%patch1 -p1 -b .optflags
touch -r m4/optimizations.m4.stamp m4/optimizations.m4
+%patch2 -p1 -b .CVE-2008-0225
# Patch6 needed at least when compiling with external ffmpeg, #939.
%patch6 -p1 -b .deepbind
%patch7 -p0 -b .multilib-devel
@@ -386,6 +388,9 @@
%changelog
+* Sat Jan 12 2008 Ville Skyttä <ville.skytta at iki.fi> - 1.1.8-7
+- Include RTSP security fixes from 1.1.9.1.
+
* Thu Sep 27 2007 Ville Skyttä <ville.skytta at iki.fi> - 1.1.8-6
- Enable wavpack support by default for all distros.
More information about the fedora-extras-commits
mailing list