diff options
| -rw-r--r-- | .hgtags | 2 | ||||
| -rw-r--r-- | ChangeLog | 11 | ||||
| -rw-r--r-- | src/combined/ffmpeg/ff_video_decoder.c | 17 | ||||
| -rw-r--r-- | src/demuxers/demux_4xm.c | 4 | ||||
| -rw-r--r-- | src/demuxers/demux_qt.c | 8 | ||||
| -rw-r--r-- | src/demuxers/id3.c | 22 |
6 files changed, 44 insertions, 20 deletions
@@ -80,4 +80,4 @@ ffe7962edb79c2ed967b82a82ccfb2ac7eb148a2 vdr-xine-version-802 e33280bcaa3b1f3f5b93e633e2225e2440ecfd7c xine-lib-1_1_16-release 01fac0a015581bbdf7e38561ad2a95405e2ca785 xine-lib-1_1_16_1-release ff19463729d8f9bbea35171d641c5f28cdacc7c8 xine-lib-1_1_16_2-release -0c7de0050b8df535dfa76b933979f4fc58bde10e DEBIAN_xine-lib-1.2_1.2.0~hg-0 +fc1aecbb9d80a32d9c802a5208dfdc012f1ba9d5 xine-lib-1_1_16_3-release @@ -68,7 +68,11 @@ xine-lib (1.1.90) (Unreleased) * Report more video output capabilities via (port)->get_capabilities(): colour controls, zooming, colour keying. -xine-lib (1.1.17) 2009-??-?? +xine-lib (1.1.16.3) 2009-04-03 + * Security fixes: + - Fix another possible int overflow in the 4XM demuxer. + (ref. TKADV2009-004, CVE-2009-0385) + - Fix an integer overflow in the Quicktime demuxer. * Enable libmpeg2new (if configured with --enable-libmpeg2new). This is not yet production code; the old mpeg2 decoder remains the default. * Add support for OpenBSD. @@ -77,6 +81,8 @@ xine-lib (1.1.17) 2009-??-?? pause/resume freeze with pulseaudio). * Fix build with libavutil >= 50.0.0. * Fix segfaults when playing VCDs. + * Fix calculation of frame duration for ffmpeg-decoded formats. + * Don't assume that ID3v2 tags with no content mean "end of ID3 data". xine-lib (1.1.16.2) 2009-02-10 * Build fixes related to ImageMagick 6.4 & later. @@ -86,7 +92,8 @@ xine-lib (1.1.16.2) 2009-02-10 * Fix broken size checks in various input plugins (ref. CVE-2008-5239). * More malloc checking (ref. CVE-2008-5240). * Fix race conditions in gapless_switch (ref. kde bug #180339) - * Fix a possible integer overflow in the 4XM demuxer. (TKADV2009-004.txt) + * Fix a possible integer overflow in the 4XM demuxer. + (TKADV2009-004, CVE-2009-0385) xine-lib (1.1.16.1) 2009-01-11 * Fix build with older ffmpeg, both internal and in Debian 5.0. diff --git a/src/combined/ffmpeg/ff_video_decoder.c b/src/combined/ffmpeg/ff_video_decoder.c index d7e068812..f412274a0 100644 --- a/src/combined/ffmpeg/ff_video_decoder.c +++ b/src/combined/ffmpeg/ff_video_decoder.c @@ -82,6 +82,7 @@ struct ff_video_decoder_s { int pts_tag_counter; int pts_tag_stable_counter; int video_step; + int reported_video_step; uint8_t decoder_ok:1; uint8_t decoder_init_mode:1; @@ -215,6 +216,9 @@ static int get_buffer(AVCodecContext *context, AVFrame *av_frame){ av_frame->type= FF_BUFFER_TYPE_USER; + /* take over pts for this frame to have it reordered */ + av_frame->reordered_opaque = context->reordered_opaque; + xine_list_push_back(this->dr1_frames, av_frame); return 0; @@ -1261,7 +1265,11 @@ static void ff_handle_buffer (ff_video_decoder_t *this, buf_element_t *buf) { } /* use externally provided video_step or fall back to stream's time_base otherwise */ - video_step_to_use = (this->video_step || !this->context->time_base.den) ? this->video_step : (int)(90000ll * this->context->time_base.num / this->context->time_base.den); + video_step_to_use = (this->video_step || !this->context->time_base.den) + ? this->video_step + : (int)(90000ll + * this->context->ticks_per_frame + * this->context->time_base.num / this->context->time_base.den); /* aspect ratio provided by ffmpeg, override previous setting */ if ((this->aspect_ratio_prio < 2) && @@ -1359,7 +1367,10 @@ static void ff_handle_buffer (ff_video_decoder_t *this, buf_element_t *buf) { /* fallback to the VIDEO_PTS_MODE */ video_step_to_use = 0; } - + + if (video_step_to_use && video_step_to_use != this->reported_video_step) + _x_stream_info_set(this->stream, XINE_STREAM_INFO_FRAME_DURATION, (this->reported_video_step = video_step_to_use)); + if (this->av_frame->repeat_pict) img->duration = video_step_to_use * 3 / 2; else @@ -1418,7 +1429,7 @@ static void ff_decode_data (video_decoder_t *this_gen, buf_element_t *buf) { if (buf->decoder_flags & BUF_FLAG_FRAMERATE) { this->video_step = buf->decoder_info[0]; - _x_stream_info_set(this->stream, XINE_STREAM_INFO_FRAME_DURATION, this->video_step); + _x_stream_info_set(this->stream, XINE_STREAM_INFO_FRAME_DURATION, (this->reported_video_step = this->video_step)); } if (buf->decoder_flags & BUF_FLAG_PREVIEW) { diff --git a/src/demuxers/demux_4xm.c b/src/demuxers/demux_4xm.c index 0870179fe..7f4407733 100644 --- a/src/demuxers/demux_4xm.c +++ b/src/demuxers/demux_4xm.c @@ -190,9 +190,9 @@ static int open_fourxm_file(demux_fourxm_t *fourxm) { return 0; } const uint32_t current_track = _X_LE_32(&header[i + 8]); - if (current_track + 1 > fourxm->track_count) { + if (current_track >= fourxm->track_count) { fourxm->track_count = current_track + 1; - if (fourxm->track_count >= UINT_MAX / sizeof(audio_track_t)) { + if (!fourxm->track_count || fourxm->track_count >= UINT_MAX / sizeof(audio_track_t)) { free(header); return 0; } diff --git a/src/demuxers/demux_qt.c b/src/demuxers/demux_qt.c index 972395533..0f3c42276 100644 --- a/src/demuxers/demux_qt.c +++ b/src/demuxers/demux_qt.c @@ -1581,7 +1581,8 @@ static qt_error parse_trak_atom (qt_trak *trak, case STTS_ATOM: /* there should only be one of these atoms */ - if (trak->time_to_sample_table) { + if (trak->time_to_sample_table + || current_atom_size < 12 || current_atom_size >= UINT_MAX) { last_error = QT_HEADER_TROUBLE; goto free_trak; } @@ -1591,6 +1592,11 @@ static qt_error parse_trak_atom (qt_trak *trak, debug_atom_load(" qt stts atom (time-to-sample atom): %d entries\n", trak->time_to_sample_count); + if (trak->time_to_sample_count > (current_atom_size - 12) / 8) { + last_error = QT_HEADER_TROUBLE; + goto free_trak; + } + trak->time_to_sample_table = calloc(trak->time_to_sample_count+1, sizeof(time_to_sample_table_t)); if (!trak->time_to_sample_table) { last_error = QT_NO_MEMORY; diff --git a/src/demuxers/id3.c b/src/demuxers/id3.c index db04b89c4..ab15184af 100644 --- a/src/demuxers/id3.c +++ b/src/demuxers/id3.c @@ -241,7 +241,7 @@ static int id3v2_parse_header(input_plugin_t *input, uint32_t id3_signature, lprintf("tag: ID3 v2.%d.%d\n", tag_header->id & 0xFF, tag_header->revision); lprintf("flags: %d\n", tag_header->flags); - lprintf("size: %d\n", tag_header->size); + lprintf("size: %zu\n", tag_header->size); return 1; } else { return 0; @@ -261,7 +261,7 @@ static int id3v22_parse_frame_header(input_plugin_t *input, frame_header->size = _X_BE_24_synchsafe(&buf[3]); - lprintf("frame: %c%c%c: size: %d\n", buf[0], buf[1], buf[2], + lprintf("frame: %c%c%c: size: %zu\n", buf[0], buf[1], buf[2], frame_header->size); return 1; @@ -363,7 +363,7 @@ static int id3v22_parse_tag(input_plugin_t *input, while ((pos + ID3V22_FRAME_HEADER_SIZE) <= tag_header.size) { if (id3v22_parse_frame_header(input, &tag_frame_header)) { pos += ID3V22_FRAME_HEADER_SIZE; - if (tag_frame_header.id && tag_frame_header.size) { + if (tag_frame_header.id) { if ((pos + tag_frame_header.size) <= tag_header.size) { if (!id3v22_interp_frame(input, stream, &tag_frame_header)) { xprintf(stream->xine, XINE_VERBOSITY_DEBUG, @@ -407,7 +407,7 @@ static int id3v23_parse_frame_header(input_plugin_t *input, frame_header->size = _X_BE_32(&buf[4]); frame_header->flags = _X_BE_16(buf + 8); - lprintf("frame: %c%c%c%c, size: %d, flags: %X\n", buf[0], buf[1], buf[2], buf[3], + lprintf("frame: %c%c%c%c, size: %zu, flags: %X\n", buf[0], buf[1], buf[2], buf[3], frame_header->size, frame_header->flags); return 1; @@ -443,11 +443,11 @@ static int id3v23_parse_frame_ext_header(input_plugin_t *input, } } else { - lprintf("invalid ext header size: %d\n", frame_ext_header->size); + lprintf("invalid ext header size: %zu\n", frame_ext_header->size); return 0; } - lprintf("ext header: size: %d, flags: %X, padding_size: %d, crc: %d\n", + lprintf("ext header: size: %zu, flags: %X, padding_size: %d, crc: %d\n", frame_ext_header->size, frame_ext_header->flags, frame_ext_header->padding_size, frame_ext_header->crc); return 1; @@ -549,7 +549,7 @@ static int id3v23_parse_tag(input_plugin_t *input, while ((pos + ID3V23_FRAME_HEADER_SIZE) <= tag_header.size) { if (id3v23_parse_frame_header(input, &tag_frame_header)) { pos += ID3V23_FRAME_HEADER_SIZE; - if (tag_frame_header.id && tag_frame_header.size) { + if (tag_frame_header.id) { if ((pos + tag_frame_header.size) <= tag_header.size) { if (!id3v23_interp_frame(input, stream, &tag_frame_header)) { xprintf(stream->xine, XINE_VERBOSITY_DEBUG, @@ -564,7 +564,7 @@ static int id3v23_parse_tag(input_plugin_t *input, pos += tag_frame_header.size; } else { /* end of frames, the rest is padding */ - lprintf("skipping padding %d bytes\n", tag_header.size - pos); + lprintf("skipping padding %zu bytes\n", tag_header.size - pos); input->seek (input, tag_header.size - pos, SEEK_CUR); return 1; } @@ -610,7 +610,7 @@ static int id3v24_parse_frame_header(input_plugin_t *input, frame_header->size = _X_BE_32_synchsafe(&buf[4]); frame_header->flags = _X_BE_16(&buf[8]); - lprintf("frame: %c%c%c%c, size: %d, flags: %X\n", buf[0], buf[1], buf[2], buf[3], + lprintf("frame: %c%c%c%c, size: %zu, flags: %X\n", buf[0], buf[1], buf[2], buf[3], frame_header->size, frame_header->flags); return 1; @@ -690,7 +690,7 @@ static int id3v24_parse_ext_header(input_plugin_t *input, } else { return 0; } - lprintf("ext header: size: %d, flags: %X, crc: %d, restrictions: %8X\n", + lprintf("ext header: size: %zu, flags: %X, crc: %d, restrictions: %8X\n", frame_ext_header->size, frame_ext_header->flags, frame_ext_header->crc, frame_ext_header->restrictions); return 1; @@ -794,7 +794,7 @@ static int id3v24_parse_tag(input_plugin_t *input, while ((pos + ID3V24_FRAME_HEADER_SIZE) <= tag_header.size) { if (id3v24_parse_frame_header(input, &tag_frame_header)) { pos += ID3V24_FRAME_HEADER_SIZE; - if (tag_frame_header.id && tag_frame_header.size) { + if (tag_frame_header.id) { if ((pos + tag_frame_header.size) <= tag_header.size) { if (!id3v24_interp_frame(input, stream, &tag_frame_header)) { xprintf(stream->xine, XINE_VERBOSITY_DEBUG, |