From d60523d37375659965650be4c695b3d439ded174 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Diego=20=27Flameeyes=27=20Petten=C3=B2?= Date: Tue, 11 Mar 2008 15:24:55 +0100 Subject: Fix Array Indexing Vulnerability in sdpplin_parse(). (CVE-2008-0073). Thanks to Alin Rad Pop, Secunia Research. --- ChangeLog | 2 ++ src/input/libreal/sdpplin.c | 23 ++++++++++++++++++++--- src/input/libreal/sdpplin.h | 4 ++-- 3 files changed, 24 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 22c651383..a97bd18c5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,6 @@ xine-lib (1.1.11) unreleased + * Security fixes: + - Array Indexing Vulnerability in sdpplin_parse(). (CVE-2008-0073) * Reworked the plugin directory naming so that external plugins don't have to be rebuilt for every release. We now use a naming scheme based on the API/ABI versioning, checking older directories - with this release, the diff --git a/src/input/libreal/sdpplin.c b/src/input/libreal/sdpplin.c index 5b22e9044..04554c45e 100644 --- a/src/input/libreal/sdpplin.c +++ b/src/input/libreal/sdpplin.c @@ -143,7 +143,14 @@ static sdpplin_stream_t *sdpplin_parse_stream(char **data) { handled=0; if(filter(*data,"a=control:streamid=",&buf)) { - desc->stream_id=atoi(buf); + /* This way negative values are mapped to unfeasibly high + * values, and will be discarded afterward + */ + unsigned long tmp = strtoul(buf, NULL, 10); + if ( tmp > UINT16_MAX ) + lprintf("stream id out of bound: %lu\n", tmp); + else + desc->stream_id=tmp; handled=1; *data=nl(*data); } @@ -252,7 +259,10 @@ sdpplin_t *sdpplin_parse(char *data) { } stream=sdpplin_parse_stream(&data); lprintf("got data for stream id %u\n", stream->stream_id); - desc->stream[stream->stream_id]=stream; + if ( stream->stream_id >= desc->stream_count ) + lprintf("stream id %u is greater than stream count %u\n", stream->stream_id, desc->stream_count); + else + desc->stream[stream->stream_id]=stream; continue; } @@ -293,7 +303,14 @@ sdpplin_t *sdpplin_parse(char *data) { } if(filter(data,"a=StreamCount:integer;",&buf)) { - desc->stream_count=atoi(buf); + /* This way negative values are mapped to unfeasibly high + * values, and will be discarded afterward + */ + unsigned long tmp = strtoul(buf, NULL, 10); + if ( tmp > UINT16_MAX ) + lprintf("stream count out of bound: %lu\n", tmp); + else + desc->stream_count = tmp; desc->stream = calloc(desc->stream_count, sizeof(sdpplin_stream_t*)); handled=1; data=nl(data); diff --git a/src/input/libreal/sdpplin.h b/src/input/libreal/sdpplin.h index cb3b434d4..72cbaf731 100644 --- a/src/input/libreal/sdpplin.h +++ b/src/input/libreal/sdpplin.h @@ -37,7 +37,7 @@ typedef struct { char *id; char *bandwidth; - int stream_id; + uint16_t stream_id; char *range; char *length; char *rtpmap; @@ -81,7 +81,7 @@ typedef struct { int flags; int is_real_data_type; - int stream_count; + uint16_t stream_count; char *title; char *author; char *copyright; -- cgit v1.2.3 From 0bffcd49650c9781f26aba965500492f1053f3da Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Wed, 19 Mar 2008 14:04:23 +0000 Subject: Release date. Correct a few minor changelog errors. --- ChangeLog | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index a97bd18c5..b26128624 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,11 +1,11 @@ -xine-lib (1.1.11) unreleased +xine-lib (1.1.11) 2008-03-19 * Security fixes: - Array Indexing Vulnerability in sdpplin_parse(). (CVE-2008-0073) * Reworked the plugin directory naming so that external plugins don't have to be rebuilt for every release. We now use a naming scheme based on the API/ABI versioning, checking older directories - with this release, the - plugin directory name is 1.19, and if this gets bumped to 1.20 in a - future release, 1.19 will still be available for external plugins. + plugin directory name is 1.20, and if this gets bumped to 1.21 in a + future release, 1.20 will still be available for external plugins. (Any directories not 1.* won't be looked in.) * Made the version parsing much more reliable; it wasn't properly coping with four-part version numbers. This affects any program whose build -- cgit v1.2.3 From c6b82b99a230c6d46b4f78c0e36f02aa91b45780 Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Wed, 19 Mar 2008 14:04:43 +0000 Subject: Added tag xine-lib-1_1_11-release for changeset 10a6bc10e58f --- .hgtags | 1 + 1 file changed, 1 insertion(+) diff --git a/.hgtags b/.hgtags index 51885c59d..8e215ddd6 100644 --- a/.hgtags +++ b/.hgtags @@ -66,3 +66,4 @@ b6be674453e922114b55d4613cb197c77d19f094 xine-lib-1_1_9-release 9438947f88ad2bed1832385301c6b4e62709625a xine-lib-1_1_9_1-release 7f1232425c6d715c404e6df1292075b33ecb8305 xine-lib-1_1_10-release 0e9e4df266f639ac7ba9e0c204f205686b56d5f9 xine-lib-1_1_10_1-release +10a6bc10e58f45f6cb79f634bdb6b7daa3167742 xine-lib-1_1_11-release -- cgit v1.2.3 From 7d85f38774705d6954c2c67b2e8c9991de3e0f87 Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Wed, 19 Mar 2008 14:04:56 +0000 Subject: Added signature for changeset d912bda42df43a6ec24a4d479e202c327a733a42 --- .hgsigs | 1 + 1 file changed, 1 insertion(+) diff --git a/.hgsigs b/.hgsigs index 367ce4851..92f6ce36d 100644 --- a/.hgsigs +++ b/.hgsigs @@ -3,3 +3,4 @@ 1dbf784bebc791266fcca02e917ee63034ac2e0b 0 iD8DBQBHgQ2mzbwfTn7RbcARArl9AKCslqZDrrm0GiU3IbBvcQVbOdSXlwCgyEMuHY2y/+T6WEeB2CXvCTs5ulI= b591d00fcd386cdd3779378c34b2d42b7504afc4 0 iD8DBQBHh5UfsBKtjPGfWZ8RAgvMAJ9xwnDNifmaobFYe2nR7+rJlLTkEQCgguGMqwqRZY68HWQXhEx918hp4Yg= ae1e23df14223cdacf83df75b28b223895d658c2 0 iD8DBQBHm6SjsBKtjPGfWZ8RAi8HAKDAHmmLu8rwN5XJJPhfEofE7BTpsgCfTyNzku+v/PhqXgl4kQnRiB6nUSE= +d912bda42df43a6ec24a4d479e202c327a733a42 0 iD8DBQBH4R2HsBKtjPGfWZ8RAr/IAJ46ypOhqO0EiSDrZYhumvpFYtrPQwCbBz/SXSDNuJNaKlR70Ep+THmhFIk= -- cgit v1.2.3