Merge from 1.1.

author: Darren Salt <linux@youmustbejoking.demon.co.uk> 2008-03-19 22:48:18 +0000
committer: Darren Salt <linux@youmustbejoking.demon.co.uk> 2008-03-19 22:48:18 +0000
commit: fd417a2e958b0f38be68a09c1316324f1e9589c4 (patch)
tree: 7732a6bb62dbc1bf535a375c9a31b7784660c070
parent: 320fa309c16c5b35844b06e4097fe5234856550c (diff)
parent: 7d85f38774705d6954c2c67b2e8c9991de3e0f87 (diff)
download: xine-lib-fd417a2e958b0f38be68a09c1316324f1e9589c4.tar.gz
xine-lib-fd417a2e958b0f38be68a09c1316324f1e9589c4.tar.bz2
5 files changed, 29 insertions, 8 deletions
diff --git a/.hgsigs b/.hgsigs
index 367ce4851..92f6ce36d 100644
--- a/.hgsigs
+++ b/.hgsigs
@@ -3,3 +3,4 @@
 1dbf784bebc791266fcca02e917ee63034ac2e0b 0 iD8DBQBHgQ2mzbwfTn7RbcARArl9AKCslqZDrrm0GiU3IbBvcQVbOdSXlwCgyEMuHY2y/+T6WEeB2CXvCTs5ulI=
 b591d00fcd386cdd3779378c34b2d42b7504afc4 0 iD8DBQBHh5UfsBKtjPGfWZ8RAgvMAJ9xwnDNifmaobFYe2nR7+rJlLTkEQCgguGMqwqRZY68HWQXhEx918hp4Yg=
 ae1e23df14223cdacf83df75b28b223895d658c2 0 iD8DBQBHm6SjsBKtjPGfWZ8RAi8HAKDAHmmLu8rwN5XJJPhfEofE7BTpsgCfTyNzku+v/PhqXgl4kQnRiB6nUSE=
+d912bda42df43a6ec24a4d479e202c327a733a42 0 iD8DBQBH4R2HsBKtjPGfWZ8RAr/IAJ46ypOhqO0EiSDrZYhumvpFYtrPQwCbBz/SXSDNuJNaKlR70Ep+THmhFIk=
diff --git a/.hgtags b/.hgtags
index e67c9ed20..ab55cbd20 100644
--- a/.hgtags
+++ b/.hgtags
@@ -70,3 +70,4 @@ b6be674453e922114b55d4613cb197c77d19f094 xine-lib-1_1_9-release
 af8d20ae15d8c619ce0e215817d4b8fdba814407 vdr-xine-version-801
 c3a5e9ba6dfc694408275a54114d571d68acbd25 vdr-xine-version-712
 ffe7962edb79c2ed967b82a82ccfb2ac7eb148a2 vdr-xine-version-802
+10a6bc10e58f45f6cb79f634bdb6b7daa3167742 xine-lib-1_1_11-release
diff --git a/ChangeLog b/ChangeLog
index 8ffcd167e..f78399c3f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -64,12 +64,14 @@ xine-lib (1.1.90) (Unreleased)
   * Report more video output capabilities via (port)->get_capabilities():
     colour controls, zooming, colour keying.
 
-xine-lib (1.1.11) unreleased
+xine-lib (1.1.11) 2008-03-19
+  * Security fixes:
+    - Array Indexing Vulnerability in sdpplin_parse(). (CVE-2008-0073)
   * Reworked the plugin directory naming so that external plugins don't have
     to be rebuilt for every release. We now use a naming scheme based on the
     API/ABI versioning, checking older directories - with this release, the
-    plugin directory name is 1.19, and if this gets bumped to 1.20 in a
-    future release, 1.19 will still be available for external plugins.
+    plugin directory name is 1.20, and if this gets bumped to 1.21 in a
+    future release, 1.20 will still be available for external plugins.
     (Any directories not 1.* won't be looked in.)
   * Made the version parsing much more reliable; it wasn't properly coping
     with four-part version numbers. This affects any program whose build
diff --git a/src/input/libreal/sdpplin.c b/src/input/libreal/sdpplin.c
index d58a3d1fe..98646b8dd 100644
--- a/src/input/libreal/sdpplin.c
+++ b/src/input/libreal/sdpplin.c
@@ -143,7 +143,14 @@ static sdpplin_stream_t *sdpplin_parse_stream(char **data) {
     handled=0;
     
     if(filter(*data,"a=control:streamid=",&buf)) {
-      desc->stream_id=atoi(buf);
+      /* This way negative values are mapped to unfeasibly high
+       * values, and will be discarded afterward
+       */
+      unsigned long tmp = strtoul(buf, NULL, 10);
+      if ( tmp > UINT16_MAX )
+	lprintf("stream id out of bound: %lu\n", tmp);
+      else
+	desc->stream_id=tmp;
       handled=1;
       *data=nl(*data);
     }
@@ -251,7 +258,10 @@ sdpplin_t *sdpplin_parse(char *data) {
       }
       stream=sdpplin_parse_stream(&data);
       lprintf("got data for stream id %u\n", stream->stream_id);
-      desc->stream[stream->stream_id]=stream;
+      if ( stream->stream_id >= desc->stream_count )
+	lprintf("stream id %u is greater than stream count %u\n", stream->stream_id, desc->stream_count);
+      else
+	desc->stream[stream->stream_id]=stream;
       continue;
     }
 
@@ -292,7 +302,14 @@ sdpplin_t *sdpplin_parse(char *data) {
     }
     
     if(filter(data,"a=StreamCount:integer;",&buf)) {
-      desc->stream_count=atoi(buf);
+      /* This way negative values are mapped to unfeasibly high
+       * values, and will be discarded afterward
+       */
+      unsigned long tmp = strtoul(buf, NULL, 10);
+      if ( tmp > UINT16_MAX )
+	lprintf("stream count out of bound: %lu\n", tmp);
+      else
+	desc->stream_count = tmp;
       desc->stream = calloc(desc->stream_count, sizeof(sdpplin_stream_t*));
       handled=1;
       data=nl(data);
diff --git a/src/input/libreal/sdpplin.h b/src/input/libreal/sdpplin.h
index cb3b434d4..72cbaf731 100644
--- a/src/input/libreal/sdpplin.h
+++ b/src/input/libreal/sdpplin.h
@@ -37,7 +37,7 @@ typedef struct {
   char *id;
   char *bandwidth;
 
-  int stream_id;
+  uint16_t stream_id;
   char *range;
   char *length;
   char *rtpmap;
@@ -81,7 +81,7 @@ typedef struct {
 
   int flags;
   int is_real_data_type;
-  int stream_count;
+  uint16_t stream_count;
   char *title;
   char *author;
   char *copyright;
author	Darren Salt <linux@youmustbejoking.demon.co.uk>	2008-03-19 22:48:18 +0000
committer	Darren Salt <linux@youmustbejoking.demon.co.uk>	2008-03-19 22:48:18 +0000
commit	fd417a2e958b0f38be68a09c1316324f1e9589c4 (patch)
tree	7732a6bb62dbc1bf535a375c9a31b7784660c070
parent	320fa309c16c5b35844b06e4097fe5234856550c (diff)
parent	7d85f38774705d6954c2c67b2e8c9991de3e0f87 (diff)
download	xine-lib-fd417a2e958b0f38be68a09c1316324f1e9589c4.tar.gz xine-lib-fd417a2e958b0f38be68a09c1316324f1e9589c4.tar.bz2