From 4c52c9ca51da4772a8df3dfd2d6e1d824dbfbea0 Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Thu, 13 Mar 2008 16:41:34 +0000 Subject: Add a CVE number for the ASF header crash fix. --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 84dc7815f..75c3b6309 100644 --- a/ChangeLog +++ b/ChangeLog @@ -32,7 +32,7 @@ xine-lib (1.1.10) 2008-01-26 * Security fixes: - Buffer overflow which allows a remote attacker to execute arbitrary code or crash the client program via a crafted ASF header. - (Related to CVE-2006-1664) + (CVE-2008-1110, related to CVE-2006-1664) * Update Ogg and Annodex mimetypes and extensions. * Change the default v4l device paths to /dev/video0 and /dev/radio0. * Fix support for subtitles with schemes (e.g. http://), partly broken -- cgit v1.2.3 From 7a3a1e423dd9cfcc47152509474bea108fff444f Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Fri, 14 Mar 2008 16:39:40 +0000 Subject: Mention CVE-2008-1161, which was fixed in 1.1.10.1. --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 75c3b6309..22c651383 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,10 @@ xine-lib (1.1.10.1) 2008-02-07 - Array index vulnerability which may allow remote attackers to execute arbitrary code via a crafted FLAC tag, causing a stack buffer overflow. (CVE-2008-0486) + - Buffer overflow in the Matroska demuxer (demuxers/demux_matroska.c) + which may allow remote attackers to cause a denial of service (crash) + or possibly execute arbitrary code via a Matroska file with invalid + frame sizes. (CVE-2008-1161) * Fix a RealPlayer codec detection bug. * Improve detection of MP3 streams with ID3v2 tags. Don't trust the tag size. -- cgit v1.2.3 From fbd93b493f7c694e1c750b110ded431a65cb9664 Mon Sep 17 00:00:00 2001 From: Carlo Bramini Date: Fri, 14 Mar 2008 20:05:34 +0000 Subject: Unportable pthread_t compare in xine.c With Pthreads for Win32/Win64 I cannot compare two pthread_t items because they are implemented as structures. This patch fixes the comparison by using pthread_equal() function. --HG-- extra : transplant_source : %9D%98%CE%83%5E%BD%A9u%11%C7%3BmP%28%EBH%D0%B6I%DF --- src/xine-engine/xine.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/xine-engine/xine.c b/src/xine-engine/xine.c index c207680e6..efb845be5 100644 --- a/src/xine-engine/xine.c +++ b/src/xine-engine/xine.c @@ -133,7 +133,7 @@ static int acquire_allowed_to_block(xine_ticket_t *this) { unsigned new_size; for(entry = 0; entry < this->holder_thread_count; ++entry) { - if(this->holder_threads[entry].holder == own_id) { + if(pthread_equal(this->holder_threads[entry].holder, own_id)) { /* This thread may already hold this ticket */ this->holder_threads[entry].count++; return (this->holder_threads[entry].count == 1); @@ -204,7 +204,7 @@ static int release_allowed_to_block(xine_ticket_t *this) { unsigned entry; for(entry = 0; entry < this->holder_thread_count; ++entry) { - if(this->holder_threads[entry].holder == own_id) { + if(pthread_equal(this->holder_threads[entry].holder, own_id)) { this->holder_threads[entry].count--; return this->holder_threads[entry].count == 0; } -- cgit v1.2.3 From b23f7d232b98527846bfcd41aed36914ffbc431b Mon Sep 17 00:00:00 2001 From: Carlo Bramini Date: Fri, 14 Mar 2008 20:13:48 +0000 Subject: xine_init(): mutex objs not initialized The problem comes from the fact that into xine_probe_fast_memcpy() there is a call to xprintf, which excutes some actions to this->log_lock. But the "log_lock" field is still uninitialized. Under Windows, the xine_init() always crashes because that type is implemented as a structure, so the lock receives a NULL pointer and the execution is halted. The attached patch proposes to move the mutex objects to the top of xine_init() function. --HG-- extra : transplant_source : %07%1D%7F%F0%97%7D%06%3E%9F%2Ar%03%1DQ%14%F3%D1%EF%1D%93 --- src/xine-engine/xine.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/xine-engine/xine.c b/src/xine-engine/xine.c index efb845be5..d58b4ea55 100644 --- a/src/xine-engine/xine.c +++ b/src/xine-engine/xine.c @@ -1662,6 +1662,12 @@ void xine_init (xine_t *this) { static const char *demux_strategies[] = {"default", "reverse", "content", "extension", NULL}; + /* + * locks + */ + pthread_mutex_init (&this->streams_lock, NULL); + pthread_mutex_init (&this->log_lock, NULL); + /* initialize color conversion tables and functions */ init_yuv_conversion(); @@ -1742,12 +1748,6 @@ void xine_init (xine_t *this) { */ this->streams = xine_list_new(); - /* - * locks - */ - pthread_mutex_init (&this->streams_lock, NULL); - pthread_mutex_init (&this->log_lock, NULL); - /* * start metronom clock */ -- cgit v1.2.3 From bfcacf9ccf8331baf47a7db55017d0ca5e273080 Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Mon, 17 Mar 2008 16:01:40 +0000 Subject: Allow CR & LF termination of XML element names. --- src/xine-utils/xmllexer.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/xine-utils/xmllexer.c b/src/xine-utils/xmllexer.c index be3bdd248..09e5a5e24 100644 --- a/src/xine-utils/xmllexer.c +++ b/src/xine-utils/xmllexer.c @@ -411,6 +411,8 @@ int lexer_get_token_d(char ** _tok, int * _tok_size, int fixed) { case '\"': /* " */ case ' ': case '\t': + case '\n': + case '\r': case '=': case '/': tok[tok_pos] = '\0'; -- cgit v1.2.3 From 431033df2571df5bdd1ec1253cf04921b6d01368 Mon Sep 17 00:00:00 2001 From: Bastian Blank Date: Sun, 2 Mar 2008 22:48:39 +0000 Subject: libdvdread - Uses UDF provided length as authoritative libdvdread uses the file length provided by the UDF fs of the title set IFO files authoritative. I got a DVD which have parts of this file mapped outside of the provided file size and according to my memory only the offsets in the files matters in the standard. This patch adjusts the internal knowledge of the filesize accordingly and at least allows mplayer to play the dvd. (Imported from Debian libdvdread 0.9.7-8) --- src/input/libdvdnav/dvd_reader.c | 24 +++++++++++++++++++++++- src/input/libdvdnav/dvd_reader.h | 2 ++ src/input/libdvdnav/ifo_read.c | 6 +++++- 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/src/input/libdvdnav/dvd_reader.c b/src/input/libdvdnav/dvd_reader.c index 200a1dbec..eff1977fc 100644 --- a/src/input/libdvdnav/dvd_reader.c +++ b/src/input/libdvdnav/dvd_reader.c @@ -1037,6 +1037,28 @@ int32_t DVDFileSeek( dvd_file_t *dvd_file, int32_t offset ) return offset; } +int32_t DVDFileSeekForce( dvd_file_t *dvd_file, int offset, int force_size ) +{ + /* Check arguments. */ + if( dvd_file == NULL || offset < 0 ) + return -1; + + if( dvd_file->dvd->isImageFile ) { + if( force_size < 0 ) + force_size = (offset - 1) / DVD_VIDEO_LB_LEN + 1; + if( dvd_file->filesize < force_size) { + dvd_file->filesize = force_size; + fprintf(stderr, "libdvdread: Ignored UDF provided size of file.\n"); + } + } + + if( offset > dvd_file->filesize * DVD_VIDEO_LB_LEN ) { + return -1; + } + dvd_file->seek_pos = (uint32_t) offset; + return offset; +} + ssize_t DVDReadBytes( dvd_file_t *dvd_file, void *data, size_t byte_size ) { unsigned char *secbuf_base, *secbuf; @@ -1077,7 +1099,7 @@ ssize_t DVDReadBytes( dvd_file_t *dvd_file, void *data, size_t byte_size ) memcpy( data, &(secbuf[ seek_byte ]), byte_size ); free( secbuf_base ); - dvd_file->seek_pos += byte_size; + DVDFileSeekForce(dvd_file, dvd_file->seek_pos + byte_size, -1); return byte_size; } diff --git a/src/input/libdvdnav/dvd_reader.h b/src/input/libdvdnav/dvd_reader.h index bb3f5053b..e1b051c00 100644 --- a/src/input/libdvdnav/dvd_reader.h +++ b/src/input/libdvdnav/dvd_reader.h @@ -171,6 +171,8 @@ ssize_t DVDReadBlocks( dvd_file_t *, int, size_t, unsigned char * ); */ int32_t DVDFileSeek( dvd_file_t *, int32_t ); +int32_t DVDFileSeekForce( dvd_file_t *, int, int ); + /** * Reads the given number of bytes from the file. This call can only be used * on the information files, and may not be used for reading from a VOB. This diff --git a/src/input/libdvdnav/ifo_read.c b/src/input/libdvdnav/ifo_read.c index 8f47d2a54..bc1ba580b 100644 --- a/src/input/libdvdnav/ifo_read.c +++ b/src/input/libdvdnav/ifo_read.c @@ -93,6 +93,10 @@ static inline int DVDFileSeek_( dvd_file_t *dvd_file, uint32_t offset ) { return (DVDFileSeek(dvd_file, (int)offset) == (int)offset); } +static inline int32_t DVDFileSeekForce_( dvd_file_t *dvd_file, uint32_t offset, int force_size ) { + return (DVDFileSeekForce(dvd_file, (int)offset, force_size) == (int)offset); +} + ifo_handle_t *ifoOpen(dvd_reader_t *dvd, int title) { ifo_handle_t *ifofile; @@ -1507,7 +1511,7 @@ static int ifoRead_VOBU_ADMAP_internal(ifo_handle_t *ifofile, unsigned int i; int info_length; - if(!DVDFileSeek_(ifofile->file, sector * DVD_BLOCK_LEN)) + if(!DVDFileSeekForce_(ifofile->file, sector * DVD_BLOCK_LEN, sector)) return 0; if(!(DVDReadBytes(ifofile->file, vobu_admap, VOBU_ADMAP_SIZE))) -- cgit v1.2.3