tags 458318 + patch thanks Hi, * Nico Golde <[EMAIL PROTECTED]> [2008-01-03 20:46]: > * Stefan Fritsch <[EMAIL PROTECTED]> [2007-12-30 12:56]: > [...] > > According to http://www.securityfocus.com/archive/1/485488/30/0/threaded , > > there > > are two more unfixed security issues in vlc: > > > > A] buffer-overflow in the handling of the subtitles > > B] format string in the web interface > > Here we come with the fifth vulnerability: > https://trac.videolan.org/vlc/changeset/23197
I am not 100% sure if this is the same issue like described on http://mailman.videolan.org/pipermail/vlc-devel/2007-December/037726.html and https://trac.videolan.org/vlc/ticket/1371. If this only affects EXTVLCOPT then they are equal. The support for EXTVLCOPT was dropped to fix this. Anyone knows more? Patches for all issues attached. Is anyone already packaging 0.8.6d? Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -Nurad vlc-0.8.6.c.orig/src/network/httpd.c vlc-0.8.6.c/src/network/httpd.c
--- vlc-0.8.6.c.orig/src/network/httpd.c 2008-01-03 20:18:35.000000000 +0100
+++ vlc-0.8.6.c/src/network/httpd.c 2008-01-03 20:21:06.000000000 +0100
@@ -414,7 +414,7 @@
psz_connection = httpd_MsgGet( &cl->query, "Connection" );
if( psz_connection != NULL )
{
- httpd_MsgAdd( answer, "Connection", psz_connection );
+ httpd_MsgAdd( answer, "Connection", "%s", psz_connection );
}
httpd_MsgAdd( answer, "Content-Length", "%d", answer->i_body );
diff -Nurad vlc-0.8.6.c.orig/modules/demux/playlist/m3u.c vlc-0.8.6.c/modules/demux/playlist/m3u.c
--- vlc-0.8.6.c.orig/modules/demux/playlist/m3u.c 2008-01-03 20:18:51.000000000 +0100
+++ vlc-0.8.6.c/modules/demux/playlist/m3u.c 2008-01-03 20:52:59.000000000 +0100
@@ -135,8 +135,6 @@
char *psz_artist = NULL;
int i_parsed_duration = 0;
mtime_t i_duration = -1;
- char **ppsz_options = NULL;
- int i_options = 0, i;
playlist_item_t *p_item, *p_current;
@@ -189,19 +187,7 @@
if ( psz_artist )
psz_artist = strdup( psz_artist );
}
- else if( !strncasecmp( psz_parse, "EXTVLCOPT:",
- sizeof("EXTVLCOPT:") -1 ) )
- {
- /* VLC Option */
- char *psz_option;
- psz_parse += sizeof("EXTVLCOPT:") -1;
- if( !*psz_parse ) goto error;
- psz_option = MaybeFromLocaleDup( psz_parse );
- if( psz_option )
- INSERT_ELEM( ppsz_options, i_options, i_options,
- psz_option );
- }
}
else if( *psz_parse )
{
@@ -219,10 +205,6 @@
if( !psz_mrl ) goto error;
p_item = playlist_ItemNew( p_playlist, psz_mrl, psz_name );
- for( i = 0; i< i_options; i++ )
- {
- playlist_ItemAddOption( p_item, ppsz_options[i] );
- }
p_item->input.i_duration = i_duration;
if ( psz_artist && *psz_artist )
vlc_input_item_AddInfo( &p_item->input, _(VLC_META_INFO_CAT),
@@ -252,9 +234,6 @@
if( b_cleanup )
{
/* Cleanup state */
- while( i_options-- ) free( ppsz_options[i_options] );
- if( ppsz_options ) free( ppsz_options );
- ppsz_options = NULL; i_options = 0;
if( psz_name ) free( psz_name );
psz_name = NULL;
if ( psz_artist ) free( psz_artist );
diff -Nurad vlc-0.8.6.c.orig/modules/misc/rtsp.c vlc-0.8.6.c/modules/misc/rtsp.c
--- vlc-0.8.6.c.orig/modules/misc/rtsp.c 2008-01-03 20:18:46.000000000 +0100
+++ vlc-0.8.6.c/modules/misc/rtsp.c 2008-01-03 20:34:21.000000000 +0100
@@ -678,6 +678,12 @@
{
psz_playnow = httpd_MsgGet( query, "x-playNow" );
psz_transport = httpd_MsgGet( query, "Transport" );
+ if( psz_transport == NULL )
+ {
+ answer->i_status = 400;
+ answer->psz_status = strdup( "Bad request" );
+ break;
+ }
msg_Dbg( p_vod, "HTTPD_MSG_SETUP: transport=%s", psz_transport );
if( strstr( psz_transport, "unicast" ) &&
diff -Nurad vlc-0.8.6.c.orig/modules/stream_out/rtp.c vlc-0.8.6.c/modules/stream_out/rtp.c
--- vlc-0.8.6.c.orig/modules/stream_out/rtp.c 2008-01-03 20:18:50.000000000 +0100
+++ vlc-0.8.6.c/modules/stream_out/rtp.c 2008-01-03 21:10:18.000000000 +0100
@@ -1855,6 +1855,12 @@
case HTTPD_MSG_SETUP:
{
char *psz_transport = httpd_MsgGet( query, "Transport" );
+ if( psz_transport == NULL )
+ {
+ answer->i_status = 400;
+ answer->psz_status = strdup( "Bad request" );
+ break;
+ }
//fprintf( stderr, "HTTPD_MSG_SETUP: transport=%s\n", psz_transport );
diff -Nurad vlc-0.8.6.c.orig/modules/demux/subtitle.c vlc-0.8.6.c/modules/demux/subtitle.c
--- vlc-0.8.6.c.orig/modules/demux/subtitle.c 2008-01-03 20:18:51.000000000 +0100
+++ vlc-0.8.6.c/modules/demux/subtitle.c 2008-01-03 21:01:29.000000000 +0100
@@ -723,8 +723,8 @@
i_stop = 0;
memset( buffer_text, '\0', MAX_LINE );
- if( sscanf( s, "{%d}{}%[^\r\n]", &i_start, buffer_text ) == 2 ||
- sscanf( s, "{%d}{%d}%[^\r\n]", &i_start, &i_stop, buffer_text ) == 3)
+ if( sscanf( s, "{%d}{}%8192[^\r\n]", &i_start, buffer_text ) == 2 ||
+ sscanf( s, "{%d}{%d}%8192[^\r\n]", &i_start, &i_stop, buffer_text ) == 3)
{
break;
}
@@ -949,8 +949,8 @@
demux_sys_t *p_sys = p_demux->p_sys;
text_t *txt = &p_sys->txt;
- char buffer_text[ 10 * MAX_LINE];
- char buffer_text2[ 10 * MAX_LINE];
+ char buffer_text[ 10 * MAX_LINE + 1];
+ char buffer_text2[ 10 * MAX_LINE + 1];
char *s;
int64_t i_start;
int64_t i_stop;
@@ -981,7 +981,7 @@
* Dialogue: Layer#,0:02:40.65,0:02:41.79,Wolf main,Cher,0000,0000,0000,,Et les enregistrements de ses ondes delta ?
*/
if( sscanf( s,
- "Dialogue: %[^,],%d:%d:%d.%d,%d:%d:%d.%d,%[^\r\n]",
+ "Dialogue: %[^,],%d:%d:%d.%d,%d:%d:%d.%d,%81920[^\r\n]",
buffer_text2,
&h1, &m1, &s1, &c1,
&h2, &m2, &s2, &c2,
@@ -1075,7 +1075,7 @@
i_start = 0;
memset( buffer_text, '\0', MAX_LINE );
- if( sscanf( p, "%d:%d:%d%[ :]%[^\r\n]", &h, &m, &s, &c, buffer_text ) == 5 )
+ if( sscanf( p, "%d:%d:%d%[ :]%81920[^\r\n]", &h, &m, &s, &c, buffer_text ) == 5 )
{
i_start = ( (int64_t)h * 3600*1000 +
(int64_t)m * 60*1000 +
pgpUQL18QDCJs.pgp
Description: PGP signature
