pool/vlc
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
vlc/vlc-CVE-2014-9625.patch
Dominique Leuenberger 73b451885d Accepting request 282449 from home:dimstar:branches:multimedia:libs 
- Add vlc-CVE-2014-9625.patch: Fix various buffer overflows and
  null ptr dereferencing (boo#914268, CVE-2014-9625).

OBS-URL: https://build.opensuse.org/request/show/282449
OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/vlc?expand=0&rev=91
2015-01-22 15:55:17 +00:00

254 lines
8.9 KiB
Diff
Raw Blame History

From b915dc931fe886add566f208650e0ab225acbe3a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= <remi@remlab.net>
Date: Wed, 30 Jul 2014 19:05:43 +0300
Subject: [PATCH 18/39] avformat: initialize probe data (fixes #11851)
(cherry picked from commit 49bd1c657d960ba107d9db8752f716139a938eee)
---
modules/demux/avformat/demux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/demux/avformat/demux.c b/modules/demux/avformat/demux.c
index 3bb1266..902ef01 100644
--- a/modules/demux/avformat/demux.c
+++ b/modules/demux/avformat/demux.c
@@ -106,7 +106,7 @@ int OpenDemux( vlc_object_t *p_this )
{
demux_t *p_demux = (demux_t*)p_this;
demux_sys_t *p_sys;
- AVProbeData pd;
+ AVProbeData pd = { };
AVInputFormat *fmt = NULL;
unsigned int i;
int64_t i_start_time = -1;
--
2.2.1
From 74996ceefd63adf07e28ea80198200d74a164c9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= <remi@remlab.net>
Date: Sat, 30 Aug 2014 16:41:53 +0300
Subject: [PATCH 27/39] decomp: fix heap overflow (fixes #12052)
---
modules/stream_filter/decomp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/stream_filter/decomp.c b/modules/stream_filter/decomp.c
index 5a12e87..16a4901 100644
--- a/modules/stream_filter/decomp.c
+++ b/modules/stream_filter/decomp.c
@@ -207,7 +207,7 @@ static int Read (stream_t *stream, void *buf, unsigned int buflen)
p_sys->offset += length;
if (buflen > 0)
- length += Read (stream, ((char *)buf) + length, buflen - length);
+ length += Read (stream, buf, buflen);
return length;
}
assert ((buf != NULL) || (buflen == 0));
--
2.2.1
From 9ddfcbb6e5222871de9b2047c939cf1da1fdbe7b Mon Sep 17 00:00:00 2001
From: Fabian Yamaguchi <fyamagu@gwdg.de>
Date: Sat, 6 Dec 2014 13:12:38 +0100
Subject: [PATCH 34/39] misc: update: fix buffer overflow in updater
On 32 bit builds, parsing of update status files with a size of
4294967295 or more lead to an integer truncation in a call to malloc
and a subsequent buffer overflow. This happened prior to checking the
files' signature. The commit fixes this by disallowing overly large
status files (above 65k in practice)
Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
(cherry picked from commit fbe2837bc80f155c001781041a54c58b5524fc14)
Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
---
src/misc/update.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/misc/update.c b/src/misc/update.c
index 600e900..32e8701 100644
--- a/src/misc/update.c
+++ b/src/misc/update.c
@@ -193,6 +193,13 @@ static bool GetUpdateFile( update_t *p_update )
}
const int64_t i_read = stream_Size( p_stream );
+
+ if( i_read < 0 || i_read >= UINT16_MAX)
+ {
+ msg_Err(p_update->p_libvlc, "Status file too large");
+ goto error;
+ }
+
psz_update_data = malloc( i_read + 1 ); /* terminating '\0' */
if( !psz_update_data )
goto error;
--
2.2.1
From a99d9cc2fede1a18140b43ffb59cde37cef7478d Mon Sep 17 00:00:00 2001
From: Fabian Yamaguchi <fyamagu@gwdg.de>
Date: Fri, 5 Dec 2014 15:18:22 +0100
Subject: [PATCH 35/39] codec: schroedinger: fix potential buffer overflow.
The variable len is a raw 32 bit value read using GetDWBE. If this
value is larger than UINT32_MAX - sizeof(eos), this will cause an
integer overflow in the subsequent call to malloc, and finally a
buffer overflow when calling memcpy. We fix this by checking len
accordingly.
Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
(cherry picked from commit 9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5)
Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
---
modules/codec/schroedinger.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/modules/codec/schroedinger.c b/modules/codec/schroedinger.c
index 0c5a7e7..93b72e1 100644
--- a/modules/codec/schroedinger.c
+++ b/modules/codec/schroedinger.c
@@ -1548,6 +1548,10 @@ static block_t *Encode( encoder_t *p_enc, picture_t *p_pic )
* is appended to the sequence header to allow guard
* against poor streaming servers */
/* XXX, should this be done using the packetizer ? */
+
+ if( len > UINT32_MAX - sizeof( eos ) )
+ return NULL;
+
p_enc->fmt_out.p_extra = malloc( len + sizeof( eos ) );
if( !p_enc->fmt_out.p_extra )
return NULL;
--
2.2.1
From 4e6137bbcd3d74630aa6f0e8b8b5b8aa0c19647d Mon Sep 17 00:00:00 2001
From: Fabian Yamaguchi <fyamagu@gwdg.de>
Date: Fri, 5 Dec 2014 15:37:05 +0100
Subject: [PATCH 36/39] codec: dmo: avoid null-pointer dereference.
Check the return value of malloc to avoid a null-pointer dereference.
Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
(cherry picked from commit 229c385a79d48e41687fae8b4dfeaeef9c8c3eb7)
Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
---
modules/codec/dmo/dmo.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/modules/codec/dmo/dmo.c b/modules/codec/dmo/dmo.c
index 6595f70..dd1fbbc 100644
--- a/modules/codec/dmo/dmo.c
+++ b/modules/codec/dmo/dmo.c
@@ -1310,6 +1310,9 @@ static int EncoderSetAudioType( encoder_t *p_enc, IMediaObject *p_dmo )
msg_Dbg( p_enc, "found cbSize: %i", p_wf->cbSize );
p_enc->fmt_out.i_extra = p_wf->cbSize;
p_enc->fmt_out.p_extra = malloc( p_enc->fmt_out.i_extra );
+ if( p_enc->fmt_out.p_extra == NULL)
+ return VLC_EGENERIC;
+
memcpy( p_enc->fmt_out.p_extra, &p_wf[1], p_enc->fmt_out.i_extra );
}
--
2.2.1
From 8eab5c92136ffc60873c41c06e7a6a9266e8af7c Mon Sep 17 00:00:00 2001
From: Fabian Yamaguchi <fyamagu@gwdg.de>
Date: Fri, 5 Dec 2014 13:52:42 +0100
Subject: [PATCH 37/39] demux: mp4: fix buffer overflow in parsing of string
boxes.
We ensure that pbox->i_size is never smaller than 8 to avoid an
integer underflow in the third argument of the subsequent call to
memcpy. We also make sure no truncation occurs when passing values
derived from the 64 bit integer p_box->i_size to arguments of malloc
and memcpy that may be 32 bit integers on 32 bit platforms.
Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
(cherry picked from commit 2e7c7091a61aa5d07e7997b393d821e91f593c39)
Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
Conflicts:
modules/demux/mp4/libmp4.c
---
modules/demux/mp4/libmp4.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
index 3abb940..ba6dcb9 100644
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -2596,6 +2596,9 @@ static int MP4_ReadBox_name( stream_t *p_stream, MP4_Box_t *p_box )
{
MP4_READBOX_ENTER( MP4_Box_data_name_t );
+ if( p_box->i_size < 8 || p_box->i_size > SIZE_MAX )
+ MP4_READBOX_EXIT( 0 );
+
p_box->data.p_name->psz_text = malloc( p_box->i_size + 1 - 8 ); /* +\0, -name, -size */
if( p_box->data.p_name->psz_text == NULL )
MP4_READBOX_EXIT( 0 );
--
2.2.1
From 41c52fbf434d6fc59e1a5e90118b8c924ea6f50d Mon Sep 17 00:00:00 2001
From: Fabian Yamaguchi <fyamagu@gwdg.de>
Date: Fri, 5 Dec 2014 13:58:24 +0100
Subject: [PATCH 38/39] stream_out: rtp: don't use VLA for user controlled data
It should fix a possible invalid memory access
When streaming ogg-files via rtp, an ogg-file can trigger an invalid
write access using an overly long 'configuration' string.
The original code attemps to allocate space to hold the string on the stack
and hence, cannot verify if allocation succeeds. Instead, we now allocate the
buffer on the heap and return if allocation fails.
In detail, rtp_packetize_xiph_config allocates a buffer on the stack at (1) where
the size depends on the local variable 'len'. The variable 'len' is
calculated at (0) to be the length of a string contained in a specially
crafted Ogg Vorbis file, and therefore, it is attacker-controlled.
Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
(cherry picked from commit 204291467724867b79735c0ee3aeb0dbc2200f97)
Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
Conflicts:
modules/stream_out/rtpfmt.c
---
modules/stream_out/rtpfmt.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/modules/stream_out/rtpfmt.c b/modules/stream_out/rtpfmt.c
index 7b71588..f19f41b 100644
--- a/modules/stream_out/rtpfmt.c
+++ b/modules/stream_out/rtpfmt.c
@@ -540,7 +540,11 @@ int rtp_packetize_xiph_config( sout_stream_id_t *id, const char *fmtp,
char *end = strchr(start, ';');
assert(end != NULL);
size_t len = end - start;
- char b64[len + 1];
+
+ char *b64 = malloc(len + 1);
+ if(!b64)
+ return VLC_EGENERIC;
+
memcpy(b64, start, len);
b64[len] = '\0';
@@ -550,6 +554,7 @@ int rtp_packetize_xiph_config( sout_stream_id_t *id, const char *fmtp,
int i_data;
i_data = vlc_b64_decode_binary(&p_orig, b64);
+ free(b64);
if (i_data == 0)
return VLC_EGENERIC;
assert(i_data > 9);
--
2.2.1
Reference in New Issue View Git Blame Copy Permalink