| Age | Commit message (Collapse) | Author |
|---|
|
xine-lib 1.1.12, and other 1.1.15 and earlier versions, relies on an
untrusted input value to determine the memory allocation and does not
check the result for (1) the MATROSKA_ID_TR_CODECPRIVATE track entry
element processed by demux_matroska.c; and (2) PROP_TAG, (3) MDPR_TAG,
and (4) CONT_TAG chunks processed by the real_parse_headers function
in demux_real.c; which allows remote attackers to cause a denial of
service (NULL pointer dereference and crash) or possibly execute
arbitrary code via a crafted value.
|
|
xine-lib 1.1.12, and other 1.1.15 and earlier versions, does not
properly handle (a) negative and (b) zero values during unspecified
read function calls in input_file.c, input_net.c, input_smb.c, and
input_http.c, which allows remote attackers to cause a denial of
service (crash) or possibly execute arbitrary code via vectors such as
(1) a file or (2) an HTTP response, which triggers consequences such
as out-of-bounds reads and heap-based buffer overflows.
|
|
Multiple integer overflows in xine-lib 1.1.12, and other 1.1.15 and
earlier versions, allow remote attackers to cause a denial of service
(crash) or possibly execute arbitrary code via (1) crafted width and
height values that are not validated by the mymng_process_header
function in demux_mng.c before use in an allocation calculation or (2)
crafted current_atom_size and string_size values processed by the
parse_reference_atom function in demux_qt.c.
|
|
Multiple heap-based buffer overflows in xine-lib 1.1.12, and other
1.1.15 and earlier versions, allow remote attackers to execute
arbitrary code via vectors related to (1) a crafted EBML element
length processed by the parse_block_group function in
demux_matroska.c; (2) a certain combination of sps, w, and h values
processed by the real_parse_audio_specific_data and
demux_real_send_chunk functions in demux_real.c; and (3) an
unspecified combination of three values processed by the open_ra_file
function in demux_realaudio.c. NOTE: vector 2 reportedly exists
because of an incomplete fix in 1.1.15.
|
|
Multiple heap-based buffer overflows in xine-lib 1.1.12, and other
versions before 1.1.15, allow remote attackers to execute arbitrary
code via vectors related to (1) a crafted metadata atom size processed
by the parse_moov_atom function in demux_qt.c and (2) frame reading in
the id3v23_interp_frame function in id3.c. NOTE: as of 20081122, it is
possible that vector 1 has not been fixed in 1.1.15.
case ( FOURCC_TAG('C', 'O', 'M', 'M') ):
_x_meta_info_set_generic(stream, XINE_META_INFO_COMMENT, buf + 1 + 3, id3_encoding[enc]);
|
|
This could happen where the actual image height is not a multiple of 16.
--HG--
extra : transplant_source : %10%BD%8C%FE%BA%CA0%D5k%8A%9CH%DD%B1-%A7E4%CD%E6
|
|
|
|
There are two potential integer overflow bugs in process_commands().
process_commands() reads some tainted data from socket to "cmd", but doesn't
check cmd rightly.
--HG--
extra : transplant_source : z%12%ABF%D9%EF%92%A1M%B2%FCx%82%26%82%EEaM%2A%C1
|
|
There is an integer overflow bug in ff_audio_decode_data().
A crafted file could cause heap crash.
--HG--
extra : transplant_source : FxpH6%A3%B7%C5%DA9%5B%F6h%AFKm%93%EA%1Bv
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Date: Thu, 1 May 2008 21:09:25 +0200
This patch improves the parsing of cddb information:
* Disc and track titles can now contain '='.
* If a track title is of the form <track-artist> / <track-title> the
meta-info will contain the track-artist rather than the disc-artist.
I have tested these changes together with my get_dir patch with the
sources from debian testing/security and both Amarok and gxine now
show the right artists for tracks on a compilation album.
|
|
Date: Thu, 1 May 2008 21:05:55 +0200
This patch adds a cdda_class_get_dir method to the cdda input plugin.
I can now add an audio cd to a play-list in Amarok.
There may be small interruptions if another cd is playing though, so
it would be desirable to lower the priority for access to the
cd-drive by the get_dir function.
|
|
For more information see xine bug #114.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Source is the version in the 1.2 branch.
|
|
--HG--
extra : transplant_source : kW%D0IN%9D%8D%D4l%F6%3C%D0%CF%9CT%A9%B2%7D%9E%E9
|
|
--HG--
extra : transplant_source : Z%F0%90e%A3%94%D3%7F%D9ROC8%3C%FD%F5FO%BFU
|
|
|
|
|
|
|
|
|
|
--HG--
extra : transplant_source : %1A%0Fu%1062y%F6I%0A%AF%97%85%3Fr%F6%17%20%01W
|
|
--HG--
extra : transplant_source : %9F%E8R%D8%94R%9CJ%7F%5E%A7%DB%29%0DK%CD%CA%AD%7F%08
|
|
|
|
|
|
--HG--
extra : transplant_source : %92%2C%CB%01S%25N%22%E1%00%FB%19%B0%CE5%1BU%F9%F6%0A
|
|
|
|
|
|
|
|
This works fine on some chipsets, but on others, it causes image corruption.
|
|
|
|
|
|
|
|
|
|
|
|
|
