| Age | Commit message (Collapse) | Author |
|---|
|
The real_parse_headers function in demux_real.c in xine-lib 1.1.12,
and other 1.1.15 and earlier versions, relies on an untrusted input
length value to "reindex into an allocated buffer," which allows
remote attackers to cause a denial of service (crash) via a crafted
value, probably an array index error.
|
|
xine-lib 1.1.12, and other 1.1.15 and earlier versions, relies on an
untrusted input value to determine the memory allocation and does not
check the result for (1) the MATROSKA_ID_TR_CODECPRIVATE track entry
element processed by demux_matroska.c; and (2) PROP_TAG, (3) MDPR_TAG,
and (4) CONT_TAG chunks processed by the real_parse_headers function
in demux_real.c; which allows remote attackers to cause a denial of
service (NULL pointer dereference and crash) or possibly execute
arbitrary code via a crafted value.
|
|
Multiple integer overflows in xine-lib 1.1.12, and other 1.1.15 and
earlier versions, allow remote attackers to cause a denial of service
(crash) or possibly execute arbitrary code via (1) crafted width and
height values that are not validated by the mymng_process_header
function in demux_mng.c before use in an allocation calculation or (2)
crafted current_atom_size and string_size values processed by the
parse_reference_atom function in demux_qt.c.
|
|
Multiple heap-based buffer overflows in xine-lib 1.1.12, and other
1.1.15 and earlier versions, allow remote attackers to execute
arbitrary code via vectors related to (1) a crafted EBML element
length processed by the parse_block_group function in
demux_matroska.c; (2) a certain combination of sps, w, and h values
processed by the real_parse_audio_specific_data and
demux_real_send_chunk functions in demux_real.c; and (3) an
unspecified combination of three values processed by the open_ra_file
function in demux_realaudio.c. NOTE: vector 2 reportedly exists
because of an incomplete fix in 1.1.15.
|
|
Multiple heap-based buffer overflows in xine-lib 1.1.12, and other
versions before 1.1.15, allow remote attackers to execute arbitrary
code via vectors related to (1) a crafted metadata atom size processed
by the parse_moov_atom function in demux_qt.c and (2) frame reading in
the id3v23_interp_frame function in id3.c. NOTE: as of 20081122, it is
possible that vector 1 has not been fixed in 1.1.15.
case ( FOURCC_TAG('C', 'O', 'M', 'M') ):
_x_meta_info_set_generic(stream, XINE_META_INFO_COMMENT, buf + 1 + 3, id3_encoding[enc]);
|
|
It was not possible to compile some parts of XINE-LIB with NLS enabled. It's
also a good idea to explicitely enable --enable-stdcall-fixup for solving a
huge amount of warnings. Attached patch fixes these problems.
|
|
|
|
When it comes to FLAC audio files, seeking relies on seekpoints which are
not always present, and even when they are, sometimes it fails. Also, as far
as I can see, xine is unable to play a FLAC stream starting at an arbitrary
position.
Other players (namely mplayer) do not rely on seekpoints when they handle
FLAC files and they don't suffer from these problems.
With this patch, time-based seeking doesn't change, while position-based
seeking is completely independent from seekpoints.
|
|
- goom initialization
- matroska playing recent files with AAC
- replace free() by ffmpeg's av_free() in ff decoders
|
|
Add warning flags to the DEBUG_CFLAGS too.
|
|
|
|
Without this patch, the video freezes.
Available corrupted sample:
http://hftom.free.fr/video_samples/corrupted_video.m2t
--HG--
extra : transplant_source : %86g%9A%B1%AF%12L%7E%3EN%8C%0FT%D2%D8%3B%7Dv%F0%14
|
|
Date: Sat, 28 Jun 2008 17:29:59 +0200
This patch adds this to the FLAC demuxer.
|
|
|
|
- Added support for new formats introduced by Adobe's Video File Format Specification v9
(including H264 and AAC).
- Fixed a problem with seeking when movie length is not specified in the headers.
|
|
For more information see xine bug #114.
|
|
|
|
|
|
|
|
--HG--
extra : transplant_source : kW%D0IN%9D%8D%D4l%F6%3C%D0%CF%9CT%A9%B2%7D%9E%E9
|
|
--HG--
extra : transplant_source : Z%F0%90e%A3%94%D3%7F%D9ROC8%3C%FD%F5FO%BFU
|
|
|
|
|
|
--HG--
extra : transplant_source : %9F%E8R%D8%94R%9CJ%7F%5E%A7%DB%29%0DK%CD%CA%AD%7F%08
|
|
--HG--
extra : transplant_source : %92%2C%CB%01S%25N%22%E1%00%FB%19%B0%CE5%1BU%F9%F6%0A
|
|
|
|
|
|
--HG--
extra : transplant_source : %5B%DAd%7EO%08%09I%B0%95%9B%EDg-%60%CB%252%84%F2
|
|
for some unknown reason, alloca is defined in <malloc.h> on mingw32.
|
|
--HG--
extra : transplant_source : v%FE%E4L9%A7x%2B%F41%2B%12P%06%A8%12%DC%ED%3A%84
|
|
Cleanup the code to follow the new code style, and in particuar use
memmem() to identify the start of a frame rather than trying to look
for it manually byte by byte.
--HG--
extra : transplant_source : H%E8-%9D%AA%3A%40%FE%E6%ACE%F0%11G%BA%C6%FA%C4w%96
|
|
When it make sense, use _x_is_fourcc() too.
--HG--
extra : transplant_source : %A7%AA%1D%B1%EE3%BF%2C%BCn%2B%3Dt%2Bi%E6%80%8ERm
|
|
Rather than checking for the ID3 signature manually use id3_istag()
function.
Also use the _X_BE_32_synchsafe function rather than re-implementing
it again.
Use memcmp() to look for MPC signature.
--HG--
extra : transplant_source : %3A%8CE%9B%B6%BC%CBm%DA%A4%26M%A0%CC%C5OV%1C%93%01
|
|
When processing the header, read the whole 12-bytes block at once,
then use _x_is_fourcc() to check for the signatures, and only then try
to find the size.
--HG--
extra : transplant_source : %B8%90%00%DAJ%7F%3F%E4%00%05%07z%3D%C5%02%03v%A8%B4C
|
|
--HG--
extra : transplant_source : %F8H%5B%D0%15z%0E%22%CC.%84%E6%ADA/%FF%0F%81%BCS
|
|
--HG--
extra : transplant_source : %CB%BE%C4%81%A4%F8%C9.%3E%3B%EFa%2A%3E%1E%5B%B4%B0%25t
|
|
Use memcmp over the signature rather than checking byte by byte.
--HG--
extra : transplant_source : %B3%8B%EE%85%B9%11%B0%10po%D9%17%CD%034%FC%F5%90%95%92
|
|
--HG--
extra : transplant_source : %B5%96xd%99U%EC%7Cr%ABB%A8%26l%08%99L3o%F6
|
|
Also try to simplify frame buffer allocation.
--HG--
extra : transplant_source : %B6%B5o%A8%24%E1%F5B%D2%D8%08%F8%DE%E7%9E%B6%B8C%A4j
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Now that the macro are either imported from the system or defined by
configure. don't define them in every source file.
|
|
All the initialisation functions returning a new object instance that
was allocated through malloc() or calloc() can get the malloc
attribute so that the compiler can optimise their call.
|
|
Instead of using a 1KB buffer to copy over the Content-Type header
value to compare it, get a (pointer, length) pair and use that for
comparison.
This should also allow the compiler to inline the
decode_anxdata_header() function.
--HG--
extra : transplant_source : W%EE%5CN%BD%B8%8C%FA%CD%15p%CD%A5%CBQ%1E%893%97S
|
|
In update_chapter_display() the t_title array, declared on the buffer,
is used after it has disappeared from the scope. Instead of doing
that, use directly the xine_ui_data_t array.
Declare xine_event_t and xine_ui_data_t with their values directly,
makes it more explicit that everything disappears at the end of the
function.
--HG--
extra : transplant_source : %25T%10eEd%CF%ECS%AC%A3%E3%E0%D3J%F6%A5%15%9EE
|
