diff options
author | Thomas Penteker <tek@serverop.de> | 2011-01-23 14:24:58 +0100 |
---|---|---|
committer | Thomas Penteker <tek@serverop.de> | 2011-01-23 14:24:58 +0100 |
commit | e9fcdb8ad25ec03427590afb61a403e6265b7afe (patch) | |
tree | 19925c8da563b502bc5031508fd463a7c0cdd4d1 | |
parent | 5f5e331adaf1e27d2b526e0fa5ba06b78afc5856 (diff) | |
download | contrib-e9fcdb8ad25ec03427590afb61a403e6265b7afe.tar.gz contrib-e9fcdb8ad25ec03427590afb61a403e6265b7afe.tar.xz |
vlc: include patch to prevent heap corruption
-rw-r--r-- | vlc/.md5sum | 1 | ||||
-rw-r--r-- | vlc/Pkgfile | 11 | ||||
-rw-r--r-- | vlc/fix-heap-corruption.diff | 59 |
3 files changed, 69 insertions, 2 deletions
diff --git a/vlc/.md5sum b/vlc/.md5sum index ece67c072..8b89c44ff 100644 --- a/vlc/.md5sum +++ b/vlc/.md5sum @@ -1 +1,2 @@ +6a70d4161bad4e2630176999a4a04465 fix-heap-corruption.diff fdc23693351ed57af9f4c85ea885b536 vlc-1.1.5.tar.bz2 diff --git a/vlc/Pkgfile b/vlc/Pkgfile index 8348014b4..27b4cb1c2 100644 --- a/vlc/Pkgfile +++ b/vlc/Pkgfile @@ -6,11 +6,18 @@ name=vlc version=1.1.5 -release=1 -source=(http://download.videolan.org/pub/videolan/$name/$version/$name-$version.tar.bz2) +release=2 +source=(http://download.videolan.org/pub/videolan/$name/$version/$name-$version.tar.bz2 \ + fix-heap-corruption.diff) build() { cd $name-$version + + # See + # http://git.videolan.org/?p=vlc.git;h=f9b664eac0e1a7bceed9d7b5854fd9fc351b4aab + # for details + patch -i $SRC/fix-heap-corruption.diff -p1 + ./configure --prefix=/usr \ --disable-nls \ --disable-fribidi \ diff --git a/vlc/fix-heap-corruption.diff b/vlc/fix-heap-corruption.diff new file mode 100644 index 000000000..3d6cf1ba5 --- /dev/null +++ b/vlc/fix-heap-corruption.diff @@ -0,0 +1,59 @@ +From f9b664eac0e1a7bceed9d7b5854fd9fc351b4aab Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Fri, 7 Jan 2011 11:06:08 -0500 +Subject: [PATCH] Fix heap overflows in CDG decoder +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +This patch resolves two heap corruption vulnerabilities in the CDG +decoder for VLC media player. In both cases, a failure to properly +validate indexes into statically-sized arrays on the heap could allow a +maliciously crafted CDG video to corrupt the heap in a controlled +manner, potentially leading to code execution. + +The patch is against v1.1.5 from vlc git, but this decoder hasn't been +touched in awhile, so I'd expect it to cleanly apply to older versions. +I've tested it and confirmed it resolves the heap corruption issues and +does not break functionality. + +(...) + +Signed-off-by: Rémi Denis-Courmont <remi@remlab.net> +--- + modules/codec/cdg.c | 12 +++++++++--- + 1 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/modules/codec/cdg.c b/modules/codec/cdg.c +index 31ecd0e..fe7b62d 100644 +--- a/modules/codec/cdg.c ++++ b/modules/codec/cdg.c +@@ -254,7 +254,13 @@ static int DecodeTileBlock( decoder_sys_t *p_cdg, const uint8_t *p_data, int doX + for( x = 0; x < 6; x++ ) + { + const int idx = ( p_data[4+y] >> (5-x) ) & 0x01; +- uint8_t *p = &p_cdg->p_screen[(sy+y)*CDG_SCREEN_PITCH+(sx+x)]; ++ ++ int index = (sy+y)*CDG_SCREEN_PITCH+(sx+x); ++ if( index >= CDG_SCREEN_PITCH*CDG_SCREEN_HEIGHT ) ++ return 0; ++ ++ uint8_t *p = &p_cdg->p_screen[index]; ++ + if( doXor ) + *p ^= p_color[idx]; + else +@@ -319,8 +325,8 @@ static int DecodeScroll( decoder_sys_t *p_cdg, const uint8_t *p_data, int b_copy + + if( b_copy ) + { +- dy = ( dy + CDG_SCREEN_HEIGHT ) % CDG_SCREEN_HEIGHT; +- dy = ( dy + CDG_SCREEN_WIDTH ) % CDG_SCREEN_WIDTH; ++ dy %= CDG_SCREEN_HEIGHT; ++ dx %= CDG_SCREEN_WIDTH; + } + else + { +-- +1.7.2.3 + |