rpms/gstreamer-plugins-good/devel gstpb-qtdemux-overflow.patch, NONE, 1.1 gstreamer-plugins-good.spec, 1.82, 1.83
Bastien Nocera
hadess at fedoraproject.org
Mon Feb 2 14:57:02 UTC 2009
Author: hadess
Update of /cvs/pkgs/rpms/gstreamer-plugins-good/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv2049
Modified Files:
gstreamer-plugins-good.spec
Added Files:
gstpb-qtdemux-overflow.patch
Log Message:
* Mon Feb 02 2009 - Bastien Nocera <bnocera at redhat.com> - 0.10.13-2
- Patch for overflows in the QT demuxer (#481267)
gstpb-qtdemux-overflow.patch:
--- NEW FILE gstpb-qtdemux-overflow.patch ---
>From bdc20b9baf13564d9a061343416395f8f9a92b53 Mon Sep 17 00:00:00 2001
From: David Schleef<ds at schleef.org>
Date: Thu, 22 Jan 2009 01:22:39 +0000
Subject: Fix for security advisory TKADV2009-0xx
Fix potential buffer overflows while reading quicktime headers.
Security issue noticed by Tobias Klein.
---
diff --git a/gst/qtdemux/qtdemux.c b/gst/qtdemux/qtdemux.c
index f34d2f4..9819aa9 100644
--- a/gst/qtdemux/qtdemux.c
+++ b/gst/qtdemux/qtdemux.c
@@ -3058,13 +3058,13 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream,
stream->min_duration = 0;
time = 0;
index = 0;
- for (i = 0; i < n_sample_times; i++) {
+ for (i = 0; (i < n_sample_times) && (index < stream->n_samples); i++) {
guint32 n;
guint32 duration;
n = QT_UINT32 ((guint8 *) stts->data + 16 + 8 * i);
duration = QT_UINT32 ((guint8 *) stts->data + 16 + 8 * i + 4);
- for (j = 0; j < n; j++) {
+ for (j = 0; (j < n) && (index < stream->n_samples); j++) {
GST_DEBUG_OBJECT (qtdemux, "sample %d: timestamp %" GST_TIME_FORMAT,
index, GST_TIME_ARGS (timestamp));
@@ -3092,7 +3092,7 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream,
for (i = 0; i < n_sample_syncs; i++) {
/* note that the first sample is index 1, not 0 */
index = QT_UINT32 ((guint8 *) stss->data + offset);
- if (index > 0) {
+ if (index > 0 && index <= stream->n_samples) {
samples[index - 1].keyframe = TRUE;
offset += 4;
}
@@ -3191,7 +3191,7 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream,
for (i = 0, j = 0; (j < stream->n_samples) && (i < n_entries); i++) {
count = QT_UINT32 (ctts_data + 16 + i * 8);
soffset = QT_UINT32 (ctts_data + 20 + i * 8);
- for (k = 0; k < count; k++, j++) {
+ for (k = 0; (k < count) && (j < stream->n_samples); k++, j++) {
/* we operate with very small soffset values here, it shouldn't overflow */
samples[j].pts_offset = soffset * GST_SECOND / stream->timescale;
}
--
cgit v0.8.1-24-ge5fb
Index: gstreamer-plugins-good.spec
===================================================================
RCS file: /cvs/pkgs/rpms/gstreamer-plugins-good/devel/gstreamer-plugins-good.spec,v
retrieving revision 1.82
retrieving revision 1.83
diff -u -r1.82 -r1.83
--- gstreamer-plugins-good.spec 26 Jan 2009 10:06:22 -0000 1.82
+++ gstreamer-plugins-good.spec 2 Feb 2009 14:56:31 -0000 1.83
@@ -6,7 +6,7 @@
Name: %{gstreamer}-plugins-good
Version: 0.10.13
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: GStreamer plug-ins with good code and licensing
Group: Applications/Multimedia
@@ -21,6 +21,8 @@
Patch1: gst-plugins-good-0.10.11-pulse-hang-bz556986.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=470000
Patch2: pulseprobe-fix.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=481267
+Patch3: gstpb-qtdemux-overflow.patch
Requires: %{gstreamer} >= %{_gst}
Requires(pre): GConf2
@@ -257,6 +259,9 @@
gconftool-2 --makefile-install-rule %{_sysconfdir}/gconf/schemas/gstreamer-%{majorminor}.schemas > /dev/null || :
%changelog
+* Mon Feb 02 2009 - Bastien Nocera <bnocera at redhat.com> - 0.10.13-2
+- Patch for overflows in the QT demuxer (#481267)
+
* Mon Jan 26 2009 - Bastien Nocera <bnocera at redhat.com> - 0.10.13-1
- Update to 0.10.13
- Update libv4l patch
More information about the fedora-extras-commits
mailing list