| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
xine-lib 1.1.12, and other 1.1.15 and earlier versions, does not
properly handle (a) negative and (b) zero values during unspecified
read function calls in input_file.c, input_net.c, input_smb.c, and
input_http.c, which allows remote attackers to cause a denial of
service (crash) or possibly execute arbitrary code via vectors such as
(1) a file or (2) an HTTP response, which triggers consequences such
as out-of-bounds reads and heap-based buffer overflows.
|
|
Whenever an allocated memory area is immediately filled in with a
string through strcpy() or strncpy(), replace the calls with the
appropriate strn?dup().
|
|
Using asprintf() instead of malloc() + sprintf() reduces the lines of
code in xine-lib (moving the allocation to the C library or asprintf
replacement), makes it safer to access the string and can also improve
performance whenever the value returned by a function was used as
parameter, as before it had to run the function twice in almost every
case (once for strlen(), once for sprintf()).
|
|
The xine_xmalloc() function is going to be deprecated, as its
behaviour is rarely needed as such, and it's thus misused.
With this, almost all uses of xine_xmalloc() with static size (for
instance the value returned by sizeof()) or with a size that is
guaranteed not to be zero (like strlen()+1) are replaced with calls to
either calloc(1, ...) or malloc().
malloc() is used whenever the allocated memory is going to be
immediately overwritten, while calloc() is used in every other case,
as it sets the whole memory area to zero.
--HG--
extra : transplant_source : %8F%98%EC%02%1E%83%F0s%06X%83C%205Y%80%B12%CC%E1
|
|
1.2 series.
|
|
elements by the size of the single element.
(transplanted from 512894f517c423fed0cadeca0d46c6d909403106)
--HG--
extra : transplant_source : Q%28%94%F5%17%C4%23%FE%D0%CA%DE%CA%0DF%C6%D9%09%401%06
|
|
|
|
--HG--
extra : transplant_source : %E0%D0%C5%8B%BEU%DD%24%5D7%1F%ADV%AD%EB%23%CBU%80%EB
|
|
For contributed code, leave whatever the version we last synced for is using
to make simpler future syncs.
|
|
|
|
|
|
Hi, I've been tracking down a very odd bug this afternoon. As it turns
out it is caused by enabling xine's mmap() support for the input_file.c.
I'm running 32 bit linux 2.6.21. The file in question is 0x10e4da000
bytes long (you can probably guess what kind of bug this is by now :)
Anyway, the issue stems from the definition of mmap():
void *mmap(void *start, size_t length, int prot, int flags, int fd,
off_t offset);
compare this to the definition of st_size in struct stat:
off_t st_size; /* total size, in bytes */
On my machine (in input_file.c) sizeof(size_t) ==4, whilst
sizeof(off_t) == 8. However the compiler doesn't generate a warning
when the following is done in xine's code:
if ( (this->mmap_base = mmap(NULL, sbuf.st_size, PROT_READ,
MAP_SHARED, this->fh, 0)) != (void*)-1
So it silently truncates the upper part of the length. Obviously you
cannot mmap() a file that large into (32 bit) memory anyway, but as it turns
out, mmapping() 0xe4da000 succeeds, which causes... problems.
The patch (against xine-lib 1.1.6) does two things:
* Check that the length will not be truncated, while still allowing
for mmap()s of large files under 64 bit OSes.
* A correctness fix: if mmap() fails, this->mmap_base will be set to
0xffffffff. Later on when the file is closed, this means it was
attempting to do munmap(0xffffffff).
|
|
CVS patchset: 8774
CVS date: 2007/03/29 19:45:33
|
|
CVS patchset: 8627
CVS date: 2007/02/25 18:04:08
|
|
CVS patchset: 8524
CVS date: 2007/01/19 01:05:24
|
|
*, so that 'return "something"' is valid. Note that _()/gettext() returns a char * but statically allocated, that the documentation considers constant.
CVS patchset: 8519
CVS date: 2007/01/18 23:02:18
|
|
strings or names of files, device nodes or directories. This information is
available to front ends (via .num_value) so that they can present
file/dir-open dialogue boxes if they so choose.
Subtitle font selection is split up due to this.
CVS patchset: 8425
CVS date: 2006/12/19 19:10:50
|
|
CVS patchset: 8326
CVS date: 2006/10/01 20:14:43
|
|
CVS patchset: 8266
CVS date: 2006/09/16 14:38:18
|
|
CVS patchset: 8265
CVS date: 2006/09/16 14:35:44
|
|
input plugins are not tried and the proper error message is returned. Bug #1550763.
CVS patchset: 8232
CVS date: 2006/09/13 23:22:51
|
|
CVS patchset: 8215
CVS date: 2006/09/10 01:46:45
|
|
CVS patchset: 8214
CVS date: 2006/09/10 00:59:37
|
|
performance on local files.
CVS patchset: 8213
CVS date: 2006/09/09 22:11:08
|
|
(through backports), to avoid exporting unneeded internal symbols, making plugins' loading faster and use of internal copies of libraries more solid. It should automatically fall back to the old way in GCCs that does not support -fvisibility=hidden, but has to be tested carefully. No issues were found in the months of testing in Gentoo, but this requires special attention anyway.
CVS patchset: 8101
CVS date: 2006/07/10 22:08:12
|
|
(Diego Pettenò)
CVS patchset: 7985
CVS date: 2006/05/03 19:46:06
|
|
http://article.gmane.org/gmane.comp.video.xine.devel/15139
CVS patchset: 7934
CVS date: 2006/03/17 18:21:23
|
|
CID: 176
Checker: RESOURCE_LEAK (help)
File: xine-lib/src/input/input_file.c
Function: file_class_get_dir
Description: Returned without freeing storage "hide_files"
CID: 176
Checker: RESOURCE_LEAK (help)
File: xine-lib/src/input/input_file.c
Function: file_class_get_dir
Description: Returned without freeing storage "dir_files"
CID: 176
Checker: RESOURCE_LEAK (help)
File: xine-lib/src/input/input_file.c
Function: file_class_get_dir
Description: Returned without freeing storage "norm_files"
CVS patchset: 7932
CVS date: 2006/03/16 22:17:16
|
|
Bill Fink <billfink@mindspring.com>
CVS patchset: 7927
CVS date: 2006/03/16 10:52:32
|
|
hopefuly somebody will be able to help fixing the
mess i did in dvdnav ;)
CVS patchset: 7759
CVS date: 2005/10/14 21:02:16
|
|
CVS patchset: 7716
CVS date: 2005/09/02 22:39:42
|
|
Windows ports fixes and improvements due to my current work on toxine:
- first experiments with external win32 pthreads,
more portable code (pthread_t may be a struct)
- headers refactored
- moved dirent win32 replacement to lib/, hide it for frontends,
used system version, if found, not used non-POSIX dirent->d_reclen
(this item doesn't work in MinGW), fix memleak in dvb
- separated settings for postproc and avcodec when using external ffmpeg
- check for malloc.h in public xine.m4, used it conditionally in xine headers
- replaced random() by POSIX more common rand()
- prevent one segfault in directx vo plugin, if fails
- M$VC port update
CVS patchset: 7709
CVS date: 2005/08/25 15:36:29
|
|
for the size of a FIFO
Fix a file descriptor leak when the length of a file is zero
CVS patchset: 7632
CVS date: 2005/06/21 09:59:49
|
|
(zero-sized) file
CVS patchset: 7591
CVS date: 2005/05/29 12:29:41
|
|
Added PLUGIN_NO_UNLOAD to the gnome_vfs plugin because unloading this plugins cause troubles (segfault).
Current plugin loader preloads all input and demuxer plugins, so adding these flags will not change the current behavior of the lib.
CVS patchset: 7390
CVS date: 2005/02/07 23:58:57
|
|
Incremented all input plugins API version.
CVS patchset: 7384
CVS date: 2005/02/06 15:00:34
|
|
reserves these names for use by the C implementation
CVS patchset: 7288
CVS date: 2004/12/20 21:22:18
|
|
and backwards compatible translation
Sorry, I got a litte tired proof-reading the patch, so their might be
bugs lurking around. I will give it some further examination and
(as necessary) fixing tomorrow.
CVS patchset: 7233
CVS date: 2004/12/12 22:00:47
|
|
Compilation fix for CygWin.
CVS patchset: 6932
CVS date: 2004/09/02 19:56:40
|
|
to overflow, but it could be possible)
input_cdda contains the copy&paste bug of filling the buffer to its end
and then appending yet another character
CVS patchset: 6848
CVS date: 2004/07/25 17:11:59
|
|
is. Should protect against a plugin returning a malloc'd variable for
example.
CVS patchset: 6821
CVS date: 2004/07/20 00:50:10
|
|
CVS patchset: 6731
CVS date: 2004/06/22 14:31:40
|
|
http://article.gmane.org/gmane.comp.video.xine.devel/9532
it is now up to demuxers to decide what the 0..65535 position means.
demuxers tested: ogg, voc, flac, rm, asf, vqa, vob, avi, y4m, au, mov, ts, mp3, mpg, wav, ra, mve
CVS patchset: 6686
CVS date: 2004/06/13 21:28:52
|
|
and file plugins
CVS patchset: 6404
CVS date: 2004/04/15 00:14:56
|
|
CVS patchset: 6383
CVS date: 2004/04/10 15:45:10
|
|
CVS patchset: 5912
CVS date: 2003/12/14 22:13:22
|
|
relevant too. Small other little fix (can't remember). Change few internal function prototype because it xine_t pointer need to be used if some xine's internal sections. NOTE: libdvd{nav,read} is still too noisy, i will take a look to made it quit, without invasive changes. To be continued...
CVS patchset: 5844
CVS date: 2003/12/05 15:54:56
|
|
CVS patchset: 5796
CVS date: 2003/11/26 19:43:26
|
