Bug#503118: patch for NMU

Mon, 03 Nov 2008 06:19:40 -0800 

Hi,
the patch for the NMU is archived on:
http://people.debian.org/~nion/nmu-diff/vlc-0.8.6.h-4_0.8.6.h-4.1.patch 
and attached to this mail.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u vlc-0.8.6.h/debian/changelog vlc-0.8.6.h/debian/changelog
--- vlc-0.8.6.h/debian/changelog
+++ vlc-0.8.6.h/debian/changelog
@@ -1,3 +1,11 @@
+vlc (0.8.6.h-4.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix integer overflows that could possibly lead to arbitrary
+    code execution (CVE-2008-4686.diff; Closes: #503118).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Mon, 03 Nov 2008 14:41:58 +0100
+
 vlc (0.8.6.h-4) unstable; urgency=high
 
   * Security: Fix integer overflow in mms module
diff -u vlc-0.8.6.h/debian/patches/series vlc-0.8.6.h/debian/patches/series
--- vlc-0.8.6.h/debian/patches/series
+++ vlc-0.8.6.h/debian/patches/series
@@ -13,0 +14 @@
+408-CVE-2008-4686.diff
only in patch2:
unchanged:
--- vlc-0.8.6.h.orig/debian/patches/408-CVE-2008-4686.diff
+++ vlc-0.8.6.h/debian/patches/408-CVE-2008-4686.diff
@@ -0,0 +1,46 @@
+diff -Nurad vlc-0.8.6.h.orig/modules/demux/ty.c vlc-0.8.6.h/modules/demux/ty.c
+--- vlc-0.8.6.h.orig/modules/demux/ty.c	2008-11-01 14:10:36.000000000 +0100
++++ vlc-0.8.6.h/modules/demux/ty.c	2008-11-01 14:19:52.000000000 +0100
+@@ -129,8 +129,8 @@
+   mtime_t         lastVideoPTS;
+ 
+   ty_rec_hdr_t    *rec_hdrs;          /* record headers array */
+-  int             i_cur_rec;          /* current record in this chunk */
+-  int             i_num_recs;         /* number of recs in this chunk */
++  unsigned        i_cur_rec;          /* current record in this chunk */
++  unsigned        i_num_recs;         /* number of recs in this chunk */
+   int             i_seq_rec;          /* record number where seq start is */
+   vlc_bool_t      eof;
+   vlc_bool_t      b_first_chunk;
+@@ -763,7 +763,7 @@
+ {
+     demux_sys_t *p_sys = p_demux->p_sys;
+     int64_t seek_pos = p_sys->i_stream_size * seek_pct;
+-    int i;
++    unsigned i;
+     long l_skip_amt;
+ 
+     /* if we're not seekable, there's nothing to do */
+@@ -856,7 +856,8 @@
+ /* =========================================================================== */
+ static int get_chunk_header(demux_t *p_demux)
+ {
+-    int i_readSize, i_num_recs, i;
++    uint32_t i, i_readSize;
++    unsigned i_num_recs;
+     uint8_t packet_header[4];
+     uint8_t record_header[16];
+     ty_rec_hdr_t *p_rec_hdr;
+@@ -914,7 +915,11 @@
+     /* parse headers into array */
+     if (p_sys->rec_hdrs)
+         free(p_sys->rec_hdrs);
+-    p_sys->rec_hdrs = malloc(i_num_recs * sizeof(ty_rec_hdr_t));
++    p_sys->rec_hdrs = calloc(i_num_recs, sizeof(ty_rec_hdr_t));
++    if(!p_sys->rec_hdrs){
++        i_num_recs = 0;
++        return;
++    }
+     for (i = 0; i < i_num_recs; i++)
+     {
+         i_readSize = stream_Read( p_demux->s, record_header, 16 );

Attachment: pgpFx3okMqdg6.pgp
Description: PGP signature

Reply via email to