tags 478971 + patch fixed-upstream
thanks
Upon further inspection, this issue is fixed upstream (0.8.6f).
Apparently, when .diffs were made for #478140, the following commit
was missed:
http://trac.videolan.org/vlc/changeset/49a6a08ce9a7518ff1753ba1c68846401e7e74b0
and modules/demux/mp4/libmp4.c was left with an undefined FREENULL. At
runtime, this results in printouts like the following (with vlc -vvv):
[00000001] main private warning: cannot load module
`/usr/lib/vlc/demux/libmp4_plugin.so'
(/usr/lib/vlc/demux/libmp4_plugin.so: undefined symbol: FREENULL)
I attach an updated 404-CVE-2008-1768.diff (for debian/patches) that
seems to fix the problem.
Best regards,
Pier Luigi Pau
diff -Nurad vlc-0.8.6.e.orig/modules/codec/cinepak.c vlc-0.8.6.e/modules/codec/cinepak.c
--- vlc-0.8.6.e.orig/modules/codec/cinepak.c 2008-04-27 15:53:59.000000000 +0200
+++ vlc-0.8.6.e/modules/codec/cinepak.c 2008-04-27 16:04:26.000000000 +0200
@@ -396,7 +416,7 @@
i_height = GET2BYTES( p_data );
i_frame_strips = GET2BYTES( p_data );
- if( !i_frame_size || !i_width || !i_height )
+ if( !i_frame_size || !i_width || !i_height || i_width > 0xffff-3 || i_height > 0xffff-3)
{
/* Broken header */
return( -1 );
diff -Nurad vlc-0.8.6.e.orig/modules/demux/mp4/libmp4.c vlc-0.8.6.e/modules/demux/mp4/libmp4.c
--- vlc-0.8.6.e.orig/modules/demux/mp4/libmp4.c 2008-04-27 15:53:59.000000000 +0200
+++ vlc-0.8.6.e/modules/demux/mp4/libmp4.c 2008-04-27 16:16:02.000000000 +0200
@@ -37,6 +37,8 @@
* *look* at the code.
*
*****************************************************************************/
+#define FREENULL( p ) do { free( p ); p = NULL; } while(0)
+
#define MP4_BOX_HEADERSIZE( p_box ) \
( 8 + ( p_box->i_shortsize == 1 ? 8 : 0 ) \
+ ( p_box->i_type == FOURCC_uuid ? 16 : 0 ) )
@@ -1641,9 +1641,19 @@
FREE( p_box->data.p_stdp->i_priority )
}
+static void MP4_FreeBox_padb( MP4_Box_t *p_box )
+{
+ FREENULL( p_box->data.p_padb->i_reserved1 );
+ FREENULL( p_box->data.p_padb->i_pad2 );
+ FREENULL( p_box->data.p_padb->i_reserved2 );
+ FREENULL( p_box->data.p_padb->i_pad1 );
+}
+
static int MP4_ReadBox_padb( stream_t *p_stream, MP4_Box_t *p_box )
{
+ int code = 0;
unsigned int i;
+ uint32_t count;
MP4_READBOX_ENTER( MP4_Box_data_padb_t );
@@ -1652,19 +1662,21 @@
MP4_GET4BYTES( p_box->data.p_padb->i_sample_count );
- p_box->data.p_padb->i_reserved1 =
- calloc( sizeof( uint16_t ), ( p_box->data.p_padb->i_sample_count + 1 ) / 2 );
- p_box->data.p_padb->i_pad2 =
- calloc( sizeof( uint16_t ), ( p_box->data.p_padb->i_sample_count + 1 ) / 2 );
- p_box->data.p_padb->i_reserved2 =
- calloc( sizeof( uint16_t ), ( p_box->data.p_padb->i_sample_count + 1 ) / 2 );
- p_box->data.p_padb->i_pad1 =
- calloc( sizeof( uint16_t ), ( p_box->data.p_padb->i_sample_count + 1 ) / 2 );
+ count = (p_box->data.p_padb->i_sample_count + 1) / 2;
+ p_box->data.p_padb->i_reserved1 = calloc( count, sizeof(uint16_t) );
+ p_box->data.p_padb->i_pad2 = calloc( count, sizeof(uint16_t) );
+ p_box->data.p_padb->i_reserved2 = calloc( count, sizeof(uint16_t) );
+ p_box->data.p_padb->i_pad1 = calloc( count, sizeof(uint16_t) );
for( i = 0; i < i_read / 2 ; i++ )
{
- p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 7 )&0x01;
+ if( i >= count )
+ {
+ MP4_FreeBox_padb( p_box );
+ goto error;
+ }
+ p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 7 )&0x01;
p_box->data.p_padb->i_pad2[i] = ( (*p_peek) >> 4 )&0x07;
p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 3 )&0x01;
p_box->data.p_padb->i_pad1[i] = ( (*p_peek) )&0x07;
@@ -1677,15 +1689,10 @@
i_read / 2 );
#endif
- MP4_READBOX_EXIT( 1 );
-}
+ code = 1;
-static void MP4_FreeBox_padb( MP4_Box_t *p_box )
-{
- FREE( p_box->data.p_padb->i_reserved1 );
- FREE( p_box->data.p_padb->i_pad2 );
- FREE( p_box->data.p_padb->i_reserved2 );
- FREE( p_box->data.p_padb->i_pad1 );
+error:
+ MP4_READBOX_EXIT( code );
}
static int MP4_ReadBox_elst( stream_t *p_stream, MP4_Box_t *p_box )
diff -Nurad vlc-0.8.6.e.orig/modules/demux/real.c vlc-0.8.6.e/modules/demux/real.c
--- vlc-0.8.6.e.orig/modules/demux/real.c 2008-04-27 15:53:59.000000000 +0200
+++ vlc-0.8.6.e/modules/demux/real.c 2008-04-27 16:06:12.000000000 +0200
@@ -1082,18 +1082,16 @@
tk->i_subpackets =
i_subpacket_h * i_frame_size / tk->i_subpacket_size;
tk->p_subpackets =
- malloc( tk->i_subpackets * sizeof(block_t *) );
+ calloc( tk->i_subpackets, sizeof(block_t *) );
}
else if( fmt.i_codec == VLC_FOURCC('2','8','_','8') )
{
tk->i_subpackets =
i_subpacket_h * i_frame_size / tk->i_coded_frame_size;
tk->p_subpackets =
- malloc( tk->i_subpackets * sizeof(block_t *) );
+ calloc( tk->i_subpackets, sizeof(block_t *) );
}
- for( i = 0; i < tk->i_subpackets; i++ ) tk->p_subpackets[i] = NULL;
-
tk->p_es = es_out_Add( p_demux->out, &fmt );
TAB_APPEND( p_sys->i_track, p_sys->track, tk );
