diff options
| -rw-r--r-- | .hgtags | 1 | ||||
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | debian/libxine2.install | 1 | ||||
| -rw-r--r-- | src/audio_out/audio_pulse_out.c | 12 | ||||
| -rw-r--r-- | src/combined/xine_speex_decoder.c | 9 | ||||
| -rw-r--r-- | src/demuxers/demux_qt.c | 9 | ||||
| -rw-r--r-- | src/spu_dec/sputext_demuxer.c | 9 |
7 files changed, 35 insertions, 12 deletions
@@ -72,3 +72,4 @@ c3a5e9ba6dfc694408275a54114d571d68acbd25 vdr-xine-version-712 ffe7962edb79c2ed967b82a82ccfb2ac7eb148a2 vdr-xine-version-802 10a6bc10e58f45f6cb79f634bdb6b7daa3167742 xine-lib-1_1_11-release 2a2cc543b27b64a6587dfaef4f1d986eb2f2710a xine-lib-1_1_11_1-release +66e1654718fb0581846d60c60bc09ae3b6b8c0cf xine-lib-1_1_12-release @@ -64,7 +64,11 @@ xine-lib (1.1.90) (Unreleased) * Report more video output capabilities via (port)->get_capabilities(): colour controls, zooming, colour keying. -xine-lib (1.1.12) 2008-??-?? +xine-lib (1.1.13) 2008-??-?? + +xine-lib (1.1.12) 2008-04-14 + * Security fixes: + - Insufficient boundary check in speex audio decoder. (CVE-2008-1686) * Fixed and improved the PulseAudio driver. * Fixed a regression in 1.1.11.1 which broke Quicktime container handling. * And another, this time in the Matroska demuxer. diff --git a/debian/libxine2.install b/debian/libxine2.install index 980d1ed4a..3f43fd950 100644 --- a/debian/libxine2.install +++ b/debian/libxine2.install @@ -7,3 +7,4 @@ usr/share/locale usr/share/xine-lib usr/share/doc/libxine2/hackersguide/* usr/share/bug/libxine2/presubj +usr/share/man/man1/xine-list*.1 diff --git a/src/audio_out/audio_pulse_out.c b/src/audio_out/audio_pulse_out.c index 9a1620e45..0c7790749 100644 --- a/src/audio_out/audio_pulse_out.c +++ b/src/audio_out/audio_pulse_out.c @@ -669,9 +669,15 @@ static int ao_pulse_set_property (ao_driver_t *this_gen, int property, int value o = pa_context_set_sink_input_mute(this->context, pa_stream_get_index(this->stream), value, __xine_pa_context_success_callback, this); #else - /* FIXME: breaks (volume=0 after unmuting) unless the volume is - * adjusted first (due to swvolume not being initialised properly) - */ + /* Get the current volume, so we can restore it properly. */ + o = pa_context_get_sink_input_info(this->context, pa_stream_get_index(this->stream), + __xine_pa_sink_info_callback, this); + + if (o) { + wait_for_operation(this, o); + pa_operation_unref(o); + } + if ( value ) pa_cvolume_mute(&this->cvolume, pa_stream_get_sample_spec(this->stream)->channels); else diff --git a/src/combined/xine_speex_decoder.c b/src/combined/xine_speex_decoder.c index 865232e30..5116f70e2 100644 --- a/src/combined/xine_speex_decoder.c +++ b/src/combined/xine_speex_decoder.c @@ -203,7 +203,7 @@ static void speex_decode_data (audio_decoder_t *this_gen, buf_element_t *buf) { if (!this->st) { SpeexMode * spx_mode; SpeexHeader * spx_header; - int modeID; + unsigned int modeID; int bitrate; speex_bits_init (&this->bits); @@ -215,7 +215,12 @@ static void speex_decode_data (audio_decoder_t *this_gen, buf_element_t *buf) { return; } - modeID = spx_header->mode; + modeID = (unsigned int)spx_header->mode; + if (modeID >= SPEEX_NB_MODES) { + xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, LOG_MODULE ": invalid mode ID %u\n", modeID); + return; + } + spx_mode = (SpeexMode *) speex_mode_list[modeID]; if (spx_mode->bitstream_version != spx_header->mode_bitstream_version) { diff --git a/src/demuxers/demux_qt.c b/src/demuxers/demux_qt.c index b8e0acb12..9329403d7 100644 --- a/src/demuxers/demux_qt.c +++ b/src/demuxers/demux_qt.c @@ -1263,10 +1263,11 @@ static qt_error parse_trak_atom (qt_trak *trak, if (_X_BE_32(&trak_atom[atom_pos + 0x2C])) trak->stsd_atoms[k].audio.bytes_per_sample = _X_BE_32(&trak_atom[atom_pos + 0x2C]); - trak->stsd_atoms[k].audio.samples_per_frame = - (trak->stsd_atoms[k].audio.bytes_per_frame / - trak->stsd_atoms[k].audio.bytes_per_packet) * - trak->stsd_atoms[k].audio.samples_per_packet; + if (trak->stsd_atoms[k].audio.bytes_per_packet) + trak->stsd_atoms[k].audio.samples_per_frame = + (trak->stsd_atoms[k].audio.bytes_per_frame / + trak->stsd_atoms[k].audio.bytes_per_packet) * + trak->stsd_atoms[k].audio.samples_per_packet; } /* see if the trak deserves a promotion to VBR */ diff --git a/src/spu_dec/sputext_demuxer.c b/src/spu_dec/sputext_demuxer.c index d7d1361b1..b70164172 100644 --- a/src/spu_dec/sputext_demuxer.c +++ b/src/spu_dec/sputext_demuxer.c @@ -263,7 +263,7 @@ static char *sub_readtext(char *source, char **dest) { } *dest= (char *)xine_xmalloc (len+1); - if (!dest) + if (!(*dest)) return ERR; strncpy(*dest, source, len); @@ -544,6 +544,8 @@ static subtitle_t *sub_read_line_ssa(demux_sputext_t *this,subtitle_t *current) line3) < 9 ); line2=strchr(line3, ','); + if (!line2) + return NULL; for (comma = 4; comma < max_comma; comma ++) { @@ -895,7 +897,10 @@ static subtitle_t *sub_read_line_jacobsub(demux_sputext_t *this, subtitle_t *cur } } *q = '\0'; - current->text[current->lines] = strdup(line1); + if (current->lines < SUB_MAX_TEXT) + current->text[current->lines] = strdup(line1); + else + xprintf (this->stream->xine, XINE_VERBOSITY_DEBUG, "Too many lines in a subtitle\n"); } current->lines++; return current; |