From f3e691cf556bd4ad1338f222ffcf5eaecafd6a24 Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Fri, 11 Jan 2008 13:49:08 +0000 Subject: Fix a buffer overflow in the RTSP header-handling code. CVE-2008-0225; ported from mplayer changeset 22821. --- ChangeLog | 3 ++ src/input/libreal/rmff.c | 85 +++++++++++++++++++++++++++++----------- src/input/libreal/rmff.h | 6 +++ src/input/librtsp/rtsp_session.c | 6 +++ 4 files changed, 78 insertions(+), 22 deletions(-) diff --git a/ChangeLog b/ChangeLog index 89c0beddb..ab355ba75 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,7 @@ xine-lib (1.1.9.1) (unreleased) + * Security fixes: + - Fix a buffer overflow in RTSP header-handling code. (CVE-2008-0225) + (Fix ported from mplayer changeset 22821) * Fix a read-past-end bug in xine-lib's internal strtok_r replacement. (Only affects systems without strtok_r.) [Bug #19] diff --git a/src/input/libreal/rmff.c b/src/input/libreal/rmff.c index 159b81ee6..b79eb5e0f 100644 --- a/src/input/libreal/rmff.c +++ b/src/input/libreal/rmff.c @@ -35,9 +35,13 @@ * writes header data to a buffer */ -static void rmff_dump_fileheader(rmff_fileheader_t *fileheader, char *buffer) { +static int rmff_dump_fileheader(rmff_fileheader_t *fileheader, uint8_t *buffer, int bufsize) { + + if (!fileheader) return 0; + + if (bufsize < RMFF_FILEHEADER_SIZE) + return -1; - if (!fileheader) return; fileheader->object_id=_X_BE_32(&fileheader->object_id); fileheader->size=_X_BE_32(&fileheader->size); fileheader->object_version=_X_BE_16(&fileheader->object_version); @@ -53,11 +57,17 @@ static void rmff_dump_fileheader(rmff_fileheader_t *fileheader, char *buffer) { fileheader->file_version=_X_BE_32(&fileheader->file_version); fileheader->num_headers=_X_BE_32(&fileheader->num_headers); fileheader->object_id=_X_BE_32(&fileheader->object_id); + + return RMFF_FILEHEADER_SIZE; } -static void rmff_dump_prop(rmff_prop_t *prop, char *buffer) { +static int rmff_dump_prop(rmff_prop_t *prop, uint8_t *buffer, int bufsize) { + + if (!prop) return 0; + + if (bufsize < RMFF_PROPHEADER_SIZE) + return -1; - if (!prop) return; prop->object_id=_X_BE_32(&prop->object_id); prop->size=_X_BE_32(&prop->size); prop->object_version=_X_BE_16(&prop->object_version); @@ -93,13 +103,19 @@ static void rmff_dump_prop(rmff_prop_t *prop, char *buffer) { prop->num_streams=_X_BE_16(&prop->num_streams); prop->flags=_X_BE_16(&prop->flags); prop->object_id=_X_BE_32(&prop->object_id); + + return RMFF_PROPHEADER_SIZE; } -static void rmff_dump_mdpr(rmff_mdpr_t *mdpr, char *buffer) { +static int rmff_dump_mdpr(rmff_mdpr_t *mdpr, uint8_t *buffer, int bufsize) { int s1, s2, s3; - if (!mdpr) return; + if (!mdpr) return 0; + + if (bufsize < RMFF_MDPRHEADER_SIZE + mdpr->type_specific_len + mdpr->stream_name_size + mdpr->mime_type_size) + return -1; + mdpr->object_id=_X_BE_32(&mdpr->object_id); mdpr->size=_X_BE_32(&mdpr->size); mdpr->object_version=_X_BE_16(&mdpr->object_version); @@ -141,13 +157,19 @@ static void rmff_dump_mdpr(rmff_mdpr_t *mdpr, char *buffer) { mdpr->duration=_X_BE_32(&mdpr->duration); mdpr->object_id=_X_BE_32(&mdpr->object_id); + return RMFF_MDPRHEADER_SIZE + s1 + s2 + s3; } -static void rmff_dump_cont(rmff_cont_t *cont, char *buffer) { +static int rmff_dump_cont(rmff_cont_t *cont, uint8_t *buffer, int bufsize) { int p; - if (!cont) return; + if (!cont) return 0; + + if (bufsize < RMFF_CONTHEADER_SIZE + cont->title_len + cont->author_len + + cont->copyright_len + cont->comment_len) + return -1; + cont->object_id=_X_BE_32(&cont->object_id); cont->size=_X_BE_32(&cont->size); cont->object_version=_X_BE_16(&cont->object_version); @@ -181,11 +203,18 @@ static void rmff_dump_cont(rmff_cont_t *cont, char *buffer) { cont->size=_X_BE_32(&cont->size); cont->object_version=_X_BE_16(&cont->object_version); cont->object_id=_X_BE_32(&cont->object_id); + + return RMFF_CONTHEADER_SIZE + cont->title_len + cont->author_len + + cont->copyright_len + cont->comment_len; } -static void rmff_dump_dataheader(rmff_data_t *data, char *buffer) { +static int rmff_dump_dataheader(rmff_data_t *data, uint8_t *buffer, int bufsize) { + + if (!data) return 0; + + if (bufsize < RMFF_DATAHEADER_SIZE) + return -1; - if (!data) return; data->object_id=_X_BE_32(&data->object_id); data->size=_X_BE_32(&data->size); data->object_version=_X_BE_16(&data->object_version); @@ -201,31 +230,43 @@ static void rmff_dump_dataheader(rmff_data_t *data, char *buffer) { data->size=_X_BE_32(&data->size); data->object_version=_X_BE_16(&data->object_version); data->object_id=_X_BE_32(&data->object_id); + + return RMFF_DATAHEADER_SIZE; } -int rmff_dump_header(rmff_header_t *h, char *buffer, int max) { +int rmff_dump_header(rmff_header_t *h, void *buf_gen, int max) { + uint8_t *buffer = buf_gen; - int written=0; + int written=0, size; rmff_mdpr_t **stream=h->streams; - rmff_dump_fileheader(h->fileheader, &buffer[written]); - written+=h->fileheader->size; - rmff_dump_prop(h->prop, &buffer[written]); - written+=h->prop->size; - rmff_dump_cont(h->cont, &buffer[written]); - written+=h->cont->size; + if ((size=rmff_dump_fileheader(h->fileheader, &buffer[written], max)) < 0) + return -1; + written+=size; + max -= size; + if ((size=rmff_dump_prop(h->prop, &buffer[written], max)) < 0) + return -1; + written+=size; + max -= size; + if ((size=rmff_dump_cont(h->cont, &buffer[written], max)) < 0) + return -1; + written+=size; + max -= size; if (stream) { while(*stream) { - rmff_dump_mdpr(*stream, &buffer[written]); - written+=(*stream)->size; + if ((size=rmff_dump_mdpr(*stream, &buffer[written], max)) < 0) + return -1; + written+=size; + max -= size; stream++; } } - rmff_dump_dataheader(h->data, &buffer[written]); - written+=18; + if ((size=rmff_dump_dataheader(h->data, &buffer[written], max)) < 0) + return -1; + written+=size; return written; } diff --git a/src/input/libreal/rmff.h b/src/input/libreal/rmff.h index d39942088..5288fc558 100644 --- a/src/input/libreal/rmff.h +++ b/src/input/libreal/rmff.h @@ -39,6 +39,12 @@ #define RMFF_HEADER_SIZE 0x12 +#define RMFF_FILEHEADER_SIZE 18 +#define RMFF_PROPHEADER_SIZE 50 +#define RMFF_MDPRHEADER_SIZE 46 +#define RMFF_CONTHEADER_SIZE 18 +#define RMFF_DATAHEADER_SIZE 18 + #define FOURCC_TAG( ch0, ch1, ch2, ch3 ) \ (((long)(unsigned char)(ch3) ) | \ ( (long)(unsigned char)(ch2) << 8 ) | \ diff --git a/src/input/librtsp/rtsp_session.c b/src/input/librtsp/rtsp_session.c index f3ddb59bc..5b02282e9 100644 --- a/src/input/librtsp/rtsp_session.c +++ b/src/input/librtsp/rtsp_session.c @@ -148,6 +148,11 @@ connect: rtsp_session->header_left = rtsp_session->header_len = rmff_dump_header(h,rtsp_session->header,HEADER_SIZE); + if (rtsp_session->header_len < 0) { + xprintf (stream->xine, XINE_VERBOSITY_LOG, + _("rtsp_session: rtsp server returned overly-large headers, session can not be established.\n")); + goto session_abort; + } xine_buffer_copyin(rtsp_session->recv, 0, rtsp_session->header, rtsp_session->header_len); rtsp_session->recv_size = rtsp_session->header_len; @@ -157,6 +162,7 @@ connect: { xprintf(stream->xine, XINE_VERBOSITY_LOG, _("rtsp_session: rtsp server type '%s' not supported yet. sorry.\n"), server); + session_abort: rtsp_close(rtsp_session->s); free(server); xine_buffer_free(rtsp_session->recv); -- cgit v1.2.3 From a9aa9d58524fd95b1babe4a47308b126899c1113 Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Fri, 11 Jan 2008 15:21:53 +0000 Subject: Correct the prototype of rmff_dump_header. (Build fix.) --- src/input/libreal/rmff.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/input/libreal/rmff.h b/src/input/libreal/rmff.h index 5288fc558..b03d12b1b 100644 --- a/src/input/libreal/rmff.h +++ b/src/input/libreal/rmff.h @@ -251,7 +251,7 @@ int rmff_get_header_size(rmff_header_t *h); /* * dumps the header to . is the size of */ -int rmff_dump_header(rmff_header_t *h, char *buffer, int max); +int rmff_dump_header(rmff_header_t *h, void *buf_gen, int max); /* * dumps a packet header -- cgit v1.2.3 From 0c0bc8da469f415f3558010658df40349f9eca74 Mon Sep 17 00:00:00 2001 From: Matthias Ringwald Date: Fri, 11 Jan 2008 15:35:04 +0000 Subject: XineOpenViewGL bug on PPC/Darwin Typo of WORDS_BIGENDIAN in in /src/video_out/macosx/XineVOpenGLView.m. It only affects big-endian systems (PowerPC) as it defaults to little-endian. --- src/video_out/macosx/XineOpenGLView.m | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/video_out/macosx/XineOpenGLView.m b/src/video_out/macosx/XineOpenGLView.m index a9ffee00f..1f947ca16 100644 --- a/src/video_out/macosx/XineOpenGLView.m +++ b/src/video_out/macosx/XineOpenGLView.m @@ -340,7 +340,7 @@ NSColorToYUV(NSColor *color) // http://developer.apple.com/samplecode/Sample_Code/Graphics_3D/TextureRange/MainOpenGLView.m.htm glTexSubImage2D(GL_TEXTURE_RECTANGLE_EXT, 0, 0, 0, videoSize.width, videoSize.height, GL_YCBCR_422_APPLE, -#if WORDS_BIG_ENDIAN +#if WORDS_BIGENDIAN GL_UNSIGNED_SHORT_8_8_APPLE, #else GL_UNSIGNED_SHORT_8_8_REV_APPLE, -- cgit v1.2.3 From 33705e739deb34b959d4a3ecb0b3a6a6b60420c8 Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Fri, 11 Jan 2008 15:37:37 +0000 Subject: Changelog entry for the PPC/Darwin display fix. --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index ab355ba75..de00895fc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,7 @@ xine-lib (1.1.9.1) (unreleased) (Fix ported from mplayer changeset 22821) * Fix a read-past-end bug in xine-lib's internal strtok_r replacement. (Only affects systems without strtok_r.) [Bug #19] + * Fix a bug which causes video playback display errors on PPC/Darwin. xine-lib (1.1.9) * Fix dvd://.../title[.chapter] handling (somewhat broken in 1.1.8). -- cgit v1.2.3 From 3187480880c001ffde34169980926bfed1acb7de Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Fri, 11 Jan 2008 15:37:47 +0000 Subject: Mark 1.1.9.1 as released. --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index de00895fc..f7e8b3243 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,4 @@ -xine-lib (1.1.9.1) (unreleased) +xine-lib (1.1.9.1) * Security fixes: - Fix a buffer overflow in RTSP header-handling code. (CVE-2008-0225) (Fix ported from mplayer changeset 22821) -- cgit v1.2.3 From cb297e293074b679e69837f54f7ce28fda0f7f53 Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Fri, 11 Jan 2008 16:11:04 +0000 Subject: Added tag xine-lib-1_1_9_1-release for changeset 9438947f88ad --- .hgtags | 1 + 1 file changed, 1 insertion(+) diff --git a/.hgtags b/.hgtags index b483eab8c..8b9b6199b 100644 --- a/.hgtags +++ b/.hgtags @@ -63,3 +63,4 @@ fd12068ebd3fab2438f77b06e312c4244e97950a DXR3_095 ab1531337553ad5eac24a69ac665eae33916b423 xine-lib-1_1_7-release e0a332b9d3e8bb3fad4d7feac1e519292b062056 xine-lib-1_1_8-release b6be674453e922114b55d4613cb197c77d19f094 xine-lib-1_1_9-release +9438947f88ad2bed1832385301c6b4e62709625a xine-lib-1_1_9_1-release -- cgit v1.2.3 From 4e63c284d8e45a33041806d201124985b8089e3e Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Fri, 11 Jan 2008 16:11:12 +0000 Subject: Added signature for changeset b591d00fcd386cdd3779378c34b2d42b7504afc4 --- .hgsigs | 1 + 1 file changed, 1 insertion(+) diff --git a/.hgsigs b/.hgsigs index 4a6a1294f..528d1e655 100644 --- a/.hgsigs +++ b/.hgsigs @@ -1,3 +1,4 @@ 5e6d0656ac4efdc1a89ed0fc32f11050f4a22970 0 iD8DBQBGZ207sBKtjPGfWZ8RAhdEAKCrkwiBT6bTof7ro5QQwewRfF/dMACffsvfK42+ahQrjpSfQxEp6k7RpCI= 42358e16442fe54fa554006e0b0bafd51e065c32 0 iD8DBQBG0xz0zbwfTn7RbcARAoD3AJ4012pabmpQvCKKDokZNyZzfPIbWgCfRk5FRly/Eei/xXnSaT54XHAT5KM= 1dbf784bebc791266fcca02e917ee63034ac2e0b 0 iD8DBQBHgQ2mzbwfTn7RbcARArl9AKCslqZDrrm0GiU3IbBvcQVbOdSXlwCgyEMuHY2y/+T6WEeB2CXvCTs5ulI= +b591d00fcd386cdd3779378c34b2d42b7504afc4 0 iD8DBQBHh5UfsBKtjPGfWZ8RAgvMAJ9xwnDNifmaobFYe2nR7+rJlLTkEQCgguGMqwqRZY68HWQXhEx918hp4Yg= -- cgit v1.2.3