diff options
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | src/input/libdvdnav/dvd_reader.c | 24 | ||||
| -rw-r--r-- | src/input/libdvdnav/dvd_reader.h | 2 | ||||
| -rw-r--r-- | src/input/libdvdnav/ifo_read.c | 6 | ||||
| -rw-r--r-- | src/xine-engine/xine.c | 16 | ||||
| -rw-r--r-- | src/xine-utils/xmllexer.c | 2 |
6 files changed, 45 insertions, 11 deletions
@@ -90,6 +90,10 @@ xine-lib (1.1.10.1) 2008-02-07 - Array index vulnerability which may allow remote attackers to execute arbitrary code via a crafted FLAC tag, causing a stack buffer overflow. (CVE-2008-0486) + - Buffer overflow in the Matroska demuxer (demuxers/demux_matroska.c) + which may allow remote attackers to cause a denial of service (crash) + or possibly execute arbitrary code via a Matroska file with invalid + frame sizes. (CVE-2008-1161) * Fix a RealPlayer codec detection bug. * Improve detection of MP3 streams with ID3v2 tags. Don't trust the tag size. @@ -98,7 +102,7 @@ xine-lib (1.1.10) 2008-01-26 * Security fixes: - Buffer overflow which allows a remote attacker to execute arbitrary code or crash the client program via a crafted ASF header. - (Related to CVE-2006-1664) + (CVE-2008-1110, related to CVE-2006-1664) * Update Ogg and Annodex mimetypes and extensions. * Change the default v4l device paths to /dev/video0 and /dev/radio0. * Fix support for subtitles with schemes (e.g. http://), partly broken diff --git a/src/input/libdvdnav/dvd_reader.c b/src/input/libdvdnav/dvd_reader.c index c15a5c3f5..4144b9133 100644 --- a/src/input/libdvdnav/dvd_reader.c +++ b/src/input/libdvdnav/dvd_reader.c @@ -1037,6 +1037,28 @@ int32_t DVDFileSeek( dvd_file_t *dvd_file, int32_t offset ) return offset; } +int32_t DVDFileSeekForce( dvd_file_t *dvd_file, int offset, int force_size ) +{ + /* Check arguments. */ + if( dvd_file == NULL || offset < 0 ) + return -1; + + if( dvd_file->dvd->isImageFile ) { + if( force_size < 0 ) + force_size = (offset - 1) / DVD_VIDEO_LB_LEN + 1; + if( dvd_file->filesize < force_size) { + dvd_file->filesize = force_size; + fprintf(stderr, "libdvdread: Ignored UDF provided size of file.\n"); + } + } + + if( offset > dvd_file->filesize * DVD_VIDEO_LB_LEN ) { + return -1; + } + dvd_file->seek_pos = (uint32_t) offset; + return offset; +} + ssize_t DVDReadBytes( dvd_file_t *dvd_file, void *data, size_t byte_size ) { unsigned char *secbuf_base, *secbuf; @@ -1077,7 +1099,7 @@ ssize_t DVDReadBytes( dvd_file_t *dvd_file, void *data, size_t byte_size ) memcpy( data, &(secbuf[ seek_byte ]), byte_size ); free( secbuf_base ); - dvd_file->seek_pos += byte_size; + DVDFileSeekForce(dvd_file, dvd_file->seek_pos + byte_size, -1); return byte_size; } diff --git a/src/input/libdvdnav/dvd_reader.h b/src/input/libdvdnav/dvd_reader.h index bb3f5053b..e1b051c00 100644 --- a/src/input/libdvdnav/dvd_reader.h +++ b/src/input/libdvdnav/dvd_reader.h @@ -171,6 +171,8 @@ ssize_t DVDReadBlocks( dvd_file_t *, int, size_t, unsigned char * ); */ int32_t DVDFileSeek( dvd_file_t *, int32_t ); +int32_t DVDFileSeekForce( dvd_file_t *, int, int ); + /** * Reads the given number of bytes from the file. This call can only be used * on the information files, and may not be used for reading from a VOB. This diff --git a/src/input/libdvdnav/ifo_read.c b/src/input/libdvdnav/ifo_read.c index 8f47d2a54..bc1ba580b 100644 --- a/src/input/libdvdnav/ifo_read.c +++ b/src/input/libdvdnav/ifo_read.c @@ -93,6 +93,10 @@ static inline int DVDFileSeek_( dvd_file_t *dvd_file, uint32_t offset ) { return (DVDFileSeek(dvd_file, (int)offset) == (int)offset); } +static inline int32_t DVDFileSeekForce_( dvd_file_t *dvd_file, uint32_t offset, int force_size ) { + return (DVDFileSeekForce(dvd_file, (int)offset, force_size) == (int)offset); +} + ifo_handle_t *ifoOpen(dvd_reader_t *dvd, int title) { ifo_handle_t *ifofile; @@ -1507,7 +1511,7 @@ static int ifoRead_VOBU_ADMAP_internal(ifo_handle_t *ifofile, unsigned int i; int info_length; - if(!DVDFileSeek_(ifofile->file, sector * DVD_BLOCK_LEN)) + if(!DVDFileSeekForce_(ifofile->file, sector * DVD_BLOCK_LEN, sector)) return 0; if(!(DVDReadBytes(ifofile->file, vobu_admap, VOBU_ADMAP_SIZE))) diff --git a/src/xine-engine/xine.c b/src/xine-engine/xine.c index ce0adf4de..5c8d0be9d 100644 --- a/src/xine-engine/xine.c +++ b/src/xine-engine/xine.c @@ -139,7 +139,7 @@ static int acquire_allowed_to_block(xine_ticket_t *this) { unsigned new_size; for(entry = 0; entry < this->holder_thread_count; ++entry) { - if(this->holder_threads[entry].holder == own_id) { + if(pthread_equal(this->holder_threads[entry].holder, own_id)) { /* This thread may already hold this ticket */ this->holder_threads[entry].count++; return (this->holder_threads[entry].count == 1); @@ -210,7 +210,7 @@ static int release_allowed_to_block(xine_ticket_t *this) { unsigned entry; for(entry = 0; entry < this->holder_thread_count; ++entry) { - if(this->holder_threads[entry].holder == own_id) { + if(pthread_equal(this->holder_threads[entry].holder, own_id)) { this->holder_threads[entry].count--; return this->holder_threads[entry].count == 0; } @@ -1710,6 +1710,12 @@ void xine_init (xine_t *this) { /* First of all, initialise libxdg-basedir as it's used by plugins. */ this->basedir_handle = xdgAllocHandle(); + /* + * locks + */ + pthread_mutex_init (&this->streams_lock, NULL); + pthread_mutex_init (&this->log_lock, NULL); + /* initialize color conversion tables and functions */ init_yuv_conversion(); @@ -1791,12 +1797,6 @@ void xine_init (xine_t *this) { this->streams = xine_list_new(); /* - * locks - */ - pthread_mutex_init (&this->streams_lock, NULL); - pthread_mutex_init (&this->log_lock, NULL); - - /* * start metronom clock */ diff --git a/src/xine-utils/xmllexer.c b/src/xine-utils/xmllexer.c index 75a1aafec..394ca397f 100644 --- a/src/xine-utils/xmllexer.c +++ b/src/xine-utils/xmllexer.c @@ -445,6 +445,8 @@ int lexer_get_token_d(char ** _tok, int * _tok_size, int fixed) { case '\"': /* " */ case ' ': case '\t': + case '\n': + case '\r': case '=': case '/': tok[tok_pos] = '\0'; |