Package: xine-lib Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for xine-lib.
CVE-2008-5242[0]: | demux_qt.c in xine-lib 1.1.12, and other 1.1.15 and earlier versions, | does not validate the count field before calling calloc for STSD_ATOM | atom allocation, which allows remote attackers to cause a denial of | service (crash) or possibly execute arbitrary code via a crafted media | file. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Note that this issue is not fixed in the upstream development version, checks for string_size being 0 are still missing enabling possibilities to overflow thebuffer. Attached is a patch by Thomas Viehmann which fixes this problem. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5242 http://security-tracker.debian.net/tracker/CVE-2008-5242 -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
--- xine-lib-1.1.14.orig/src/demuxers/demux_qt.c
+++ xine-lib-1.1.14/src/demuxers/demux_qt.c
@@ -739,49 +739,49 @@
if (current_atom == ART_ATOM) {
string_size = _X_BE_32(&meta_atom[i + 4]) - 16 + 1;
info->artist = xine_xmalloc(string_size);
- if (info->artist) {
+ if (string_size && info->artist) {
strncpy(info->artist, &meta_atom[i + 20], string_size - 1);
info->artist[string_size - 1] = 0;
}
} else if (current_atom == NAM_ATOM) {
string_size = _X_BE_32(&meta_atom[i + 4]) - 16 + 1;
info->name = xine_xmalloc(string_size);
- if (info->name) {
+ if (string_size && info->name) {
strncpy(info->name, &meta_atom[i + 20], string_size - 1);
info->name[string_size - 1] = 0;
}
} else if (current_atom == ALB_ATOM) {
string_size = _X_BE_32(&meta_atom[i + 4]) - 16 + 1;
info->album = xine_xmalloc(string_size);
- if (info->album) {
+ if (string_size && info->album) {
strncpy(info->album, &meta_atom[i + 20], string_size - 1);
info->album[string_size - 1] = 0;
}
} else if (current_atom == GEN_ATOM) {
string_size = _X_BE_32(&meta_atom[i + 4]) - 16 + 1;
info->genre = xine_xmalloc(string_size);
- if (info->genre) {
+ if (string_size && info->genre) {
strncpy(info->genre, &meta_atom[i + 20], string_size - 1);
info->genre[string_size - 1] = 0;
}
} else if (current_atom == TOO_ATOM) {
string_size = _X_BE_32(&meta_atom[i + 4]) - 16 + 1;
info->comment = xine_xmalloc(string_size);
- if (info->comment) {
+ if (string_size && info->comment) {
strncpy(info->comment, &meta_atom[i + 20], string_size - 1);
info->comment[string_size - 1] = 0;
}
} else if (current_atom == WRT_ATOM) {
string_size = _X_BE_32(&meta_atom[i + 4]) - 16 + 1;
info->composer = xine_xmalloc(string_size);
- if (info->composer) {
+ if (string_size && info->composer) {
strncpy(info->composer, &meta_atom[i + 20], string_size - 1);
info->composer[string_size - 1] = 0;
}
} else if (current_atom == DAY_ATOM) {
string_size = _X_BE_32(&meta_atom[i + 4]) - 16 + 1;
info->year = xine_xmalloc(string_size);
- if (info->year) {
+ if (string_size && info->year) {
strncpy(info->year, &meta_atom[i + 20], string_size - 1);
info->year[string_size - 1] = 0;
}
pgpdOM89y3yyN.pgp
Description: PGP signature
