diff options
| -rw-r--r-- | .hgtags | 1 | ||||
| -rw-r--r-- | ChangeLog | 10 | ||||
| -rw-r--r-- | configure.ac | 12 | ||||
| -rw-r--r-- | debian/changelog | 4 | ||||
| -rw-r--r-- | src/demuxers/demux_flac.c | 15 | ||||
| -rw-r--r-- | src/demuxers/demux_mpgaudio.c | 5 |
6 files changed, 31 insertions, 16 deletions
@@ -65,3 +65,4 @@ e0a332b9d3e8bb3fad4d7feac1e519292b062056 xine-lib-1_1_8-release b6be674453e922114b55d4613cb197c77d19f094 xine-lib-1_1_9-release 9438947f88ad2bed1832385301c6b4e62709625a xine-lib-1_1_9_1-release 7f1232425c6d715c404e6df1292075b33ecb8305 xine-lib-1_1_10-release +0e9e4df266f639ac7ba9e0c204f205686b56d5f9 xine-lib-1_1_10_1-release @@ -1,5 +1,4 @@ xine-lib (1.1.11) unreleased - * Fix a RealPlayer codec detection bug. * Reworked the plugin directory naming so that external plugins don't have to be rebuilt for every release. We now use a naming scheme based on the API/ABI versioning, checking older directories - with this release, the @@ -7,6 +6,15 @@ xine-lib (1.1.11) unreleased future release, 1.19 will still be available for external plugins. (Any directories not 1.* won't be looked in.) +xine-lib (1.1.10.1) 2008-02-07 + * Security fixes: + - Array index vulnerability which may allow remote attackers to execute + arbitrary code via a crafted FLAC tag, causing a stack buffer overflow. + (CVE-2008-0486) + * Fix a RealPlayer codec detection bug. + * Improve detection of MP3 streams with ID3v2 tags. Don't trust the tag + size. + xine-lib (1.1.10) 2008-01-26 * Security fixes: - Buffer overflow which allows a remote attacker to execute arbitrary diff --git a/configure.ac b/configure.ac index 51d30234b..45f262159 100644 --- a/configure.ac +++ b/configure.ac @@ -16,15 +16,15 @@ dnl XINE_SUB += 1; XINE_PATCH = ''; continue with XINE_LT_* values below dnl XINE_MAJOR=1 XINE_MINOR=1 -XINE_SUB=10 -# XINE_PATCH should be left empty or set to ".1" or ".2" or something similar +XINE_SUB=11 +dnl XINE_PATCH should be left empty or set to ".1" or ".2" or something similar XINE_PATCH= -#if test $XINE_SUB -eq 0 ; then -# XINE_SUBPART=""; -#else +dnl if test $XINE_SUB -eq 0 ; then +dnl XINE_SUBPART=""; +dnl else XINE_SUBPART=".$XINE_SUB$XINE_PATCH" -#fi +dnl fi dnl The libtool version numbers (XINE_LT_*); Don't even think about faking this! dnl diff --git a/debian/changelog b/debian/changelog index ee28516de..9f2640f7d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -xine-lib (1.1.10+hg-0) unstable; urgency=low +xine-lib (1.1.10.1+hg-0) unstable; urgency=low [ Darren Salt ] * Hg snapshot. @@ -7,7 +7,7 @@ xine-lib (1.1.10+hg-0) unstable; urgency=low * remove gs from build-dependencies * change the maintainer field to xine-devel@lists.sourceforge.net. - -- Darren Salt <linux@youmustbejoking.demon.co.uk> Sun, 27 Jan 2008 01:41:45 +0000 + -- Darren Salt <linux@youmustbejoking.demon.co.uk> Thu, 07 Feb 2008 17:52:34 +0000 xine-lib (1.1.5~cvs-0) unstable; urgency=low diff --git a/src/demuxers/demux_flac.c b/src/demuxers/demux_flac.c index 23e2faef9..e5d1297a2 100644 --- a/src/demuxers/demux_flac.c +++ b/src/demuxers/demux_flac.c @@ -189,7 +189,7 @@ static int open_flac_file(demux_flac_t *flac) { case 4: lprintf ("VORBIS_COMMENT metadata\n"); { - char comments[block_length]; + char comments[block_length + 1]; /* last byte for NUL termination */ char *ptr = comments; uint32_t length, user_comment_list_length; int cn; @@ -202,18 +202,25 @@ static int open_flac_file(demux_flac_t *flac) { length = _X_LE_32(ptr); ptr += 4 + length; + if (length >= block_length - 8) + return 0; /* bad length or too little left in the buffer */ user_comment_list_length = _X_LE_32(ptr); ptr += 4; cn = 0; for (; cn < user_comment_list_length; cn++) { + if (ptr > comments + block_length - 4) + return 0; /* too little left in the buffer */ + length = _X_LE_32(ptr); ptr += 4; + if (length >= block_length || ptr + length > comments + block_length) + return 0; /* bad length */ comment = (char*) ptr; c = comment[length]; - comment[length] = 0; + comment[length] = 0; /* NUL termination */ lprintf ("comment[%02d] = %s\n", cn, comment); @@ -248,8 +255,8 @@ static int open_flac_file(demux_flac_t *flac) { } if ((tracknumber > 0) && (tracktotal > 0)) { - char tn[16]; - snprintf (tn, 16, "%02d/%02d", tracknumber, tracktotal); + char tn[24]; + snprintf (tn, 24, "%02d/%02d", tracknumber, tracktotal); _x_meta_info_set(flac->stream, XINE_META_INFO_TRACK_NUMBER, tn); } else if (tracknumber > 0) { diff --git a/src/demuxers/demux_mpgaudio.c b/src/demuxers/demux_mpgaudio.c index 1bea02302..82a7dd7ab 100644 --- a/src/demuxers/demux_mpgaudio.c +++ b/src/demuxers/demux_mpgaudio.c @@ -807,7 +807,6 @@ static int demux_mpgaudio_read_head(input_plugin_t *input, uint8_t *buf) { * return 1 if detected, 0 otherwise */ static int detect_mpgaudio_file(input_plugin_t *input) { - mpg_audio_frame_t frame; uint8_t buf[MAX_PREVIEW_SIZE]; int preview_len; uint32_t head; @@ -838,8 +837,8 @@ static int detect_mpgaudio_file(input_plugin_t *input) { lprintf("cannot read mp3 frame header\n"); return 0; } - if (!parse_frame_header(&frame, &buf[10 + tag_size])) { - lprintf ("invalid mp3 frame header\n"); + if (!sniff_buffer_looks_like_mp3(&buf[10 + tag_size], preview_len - 10 - tag_size)) { + lprintf ("sniff_buffer_looks_like_mp3 failed\n"); return 0; } else { lprintf ("a valid mp3 frame follows the id3v2 tag\n"); |