Hello community, here is the log from the commit of package vlc.5224 for openSUSE:13.2:Update checked in at 2016-06-22 11:09:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/vlc.5224 (Old) and /work/SRC/openSUSE:13.2:Update/.vlc.5224.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "vlc.5224" Changes: -------- New Changes file: --- /dev/null 2016-04-07 01:36:33.300037506 +0200 +++ /work/SRC/openSUSE:13.2:Update/.vlc.5224.new/vlc.changes 2016-06-22 11:09:27.000000000 +0200 @@ -0,0 +1,1290 @@ +------------------------------------------------------------------- +Mon Jun 13 15:27:53 UTC 2016 - [email protected] + +- Add vlc-2.1.6-CVE-2016-5108.patch: adpcm: reject invalid + QuickTime IMA files, backported from upstream commit c2d2c3 + (CVE-2016-5108, boo#984382). + +------------------------------------------------------------------- +Fri Feb 5 21:36:21 UTC 2016 - [email protected] + +- Update to version 2.1.6: + + Audio output: Fix OSS stuttering. + + Security: + - Fix heap overflow in decomp stream filter. + - Fix buffer overflow in updater. + - Fix potential buffer overflow in schroedinger encoder. + - Fix null-pointer dereference in DMO decoder. + - Fix buffer overflow in parsing of string boxes in mp4 + demuxer. + - Fix SRTP integer overflow. + - Fix potential crash in zip access. + - Fix read overflow in Ogg demuxer. +- Drop vlc-CVE-2014-9625.patch: fixed upstream. +- Add vlc-2.1.6-CVE-2016-3941.patch: fix Heap overflow in + processing wav files (CVE-2016-3941, boo#973354). + +------------------------------------------------------------------- +Thu Jan 14 21:29:15 UTC 2016 - [email protected] + +- Resolve a dependency issue with libmatroska - boo#961994 + +------------------------------------------------------------------- +Thu Jan 22 15:03:10 UTC 2015 - [email protected] + +- Add vlc-CVE-2014-9625.patch: Fix various buffer overflows and + null ptr dereferencing (boo#914268, CVE-2014-9625). + +------------------------------------------------------------------- +Sun Nov 9 16:06:10 UTC 2014 - [email protected] + +- fix skins2 defaut.vlt generation with newer tar defaults (and + remove the embedded build date from it on the way) + vlc-2.1.5-fix-skins2-default-skin-creation.patch +- remove buildhost hostname from the binary to avoid republishing + +------------------------------------------------------------------- +Thu Oct 30 06:08:06 UTC 2014 - [email protected] + +- Convert BuildRequires from foo-devel to pkgconfig(foo) + +------------------------------------------------------------------- +Fri Oct 24 07:47:58 UTC 2014 - [email protected] + +- First attempts on enabling build for SLE-12. + +------------------------------------------------------------------- +Thu Oct 9 18:37:20 UTC 2014 - [email protected] + +- Enable SSE2 instruction set for x86_64 + +------------------------------------------------------------------- +Tue Oct 7 00:44:05 UTC 2014 - [email protected] + +- Disable fluidsynth again: the crashes we had earlier are still + not all fixed. They are less, but less common makes it more + difficult to debug. + +------------------------------------------------------------------- +Sun Oct 5 12:54:44 UTC 2014 - [email protected] + +- Enable build for SLE_11 + +------------------------------------------------------------------- +Tue Sep 23 19:12:35 UTC 2014 - [email protected] + +- Fix rpmlint warning about duplicates with fdupes +- Add missing BuildRequires: + + fluidsynth-devel: SMF files playback + + freerdp-devel: RDP support + + libkde4-devel: KDE integration + + libchromaprint-devel: Chromaprint stream output + + libmlt6-modules: television broadcasting + + LibVNCServer-devel: VNC support + + opencv-devel: real-time computer vision support + + xcb-util-keysyms-devel: better X integration +- Remome gcc-c++ and libqt4-devel because automatically installed +- Add 'suse_version' conditionals to the new BuildRequires +- Remove 'suse_version' conditionals from live555-devel & lua-devel + +------------------------------------------------------------------- +Sat Jul 12 13:26:39 UTC 2014 - [email protected] + +- Update to version 2.1.5: + + Core: Fix compilation on OS/2. + + Access: Stability improvements for the QTSound capture module. + + Mac OS X audio output: + - Fix channel ordering. + - Increase the buffersize. + + Decoders: + - Fix DxVA2 decoding of samples needing more surfaces. + - Improve MAD resistance to broken mp3 streams. + - Fix PGS alignment in MKV. + + Qt Interface: Don't rename mp3 converted files to .raw. + + Mac OS X Interface: + - Correctly support video-on-top. + - Fix video output event propagation on Macs with retina + displays. + - Stability improvements when using future VLC releases side by + side. + + Streaming: Fix transcode when audio format changes. + + Updated translations. + +------------------------------------------------------------------- +Thu May 15 11:47:43 CEST 2014 - [email protected] + +- Include also libglobalhotkeys_plugin.so which is build with old x11 + +------------------------------------------------------------------- +Thu May 15 11:30:28 CEST 2014 - [email protected] + +- BuildRequire at least gnutls 3.0.20 + +------------------------------------------------------------------- +Fri May 2 08:29:17 CEST 2014 - [email protected] + +- BuildRequire at least jack 1.9.7 + +------------------------------------------------------------------- +Thu Apr 24 20:00:17 CEST 2014 - [email protected] + +- BuildRequire libtag-devel instead of taglib-devel to work around + a resolver bug. A package name from external project is prefered + over a provide from the same project. + +------------------------------------------------------------------- +Tue Apr 15 20:14:20 CEST 2014 - [email protected] + +- Require plain lua-devel instead of lua51-devel for 12.1 or older + +------------------------------------------------------------------- +Sat Mar 8 21:55:46 UTC 2014 - [email protected] + +- Fixed PowerPC builds. + +------------------------------------------------------------------- +Sun Feb 23 17:02:26 UTC 2014 - [email protected] + +- Update to version 2.1.4: + + Demuxers: Fix issue in WMV with multiple compressed payload and + empty payloads. + + Video Output: Fix subtitles size rendering on Windows. + + Mac OS X: + - Fix DVD playback regression. + - Fix misleading error message during video playback on + OS X 10.9. + - Fix hardware acceleration memleaks. + +------------------------------------------------------------------- +Thu Feb 20 19:48:32 UTC 2014 - [email protected] + +- Update to version 2.1.3 (bnc#864422): + + Core: + - Fix broken behaviour with SOCKSv5 proxies + - Fix integer overflow on error when using vlc_readdir + + Access: + - Fix DVB-T2 tuning on Linux. + - Fix encrypted DVD playback. + - Fix v4l2 frequency conversion. + + Decoders: + - Fix numerous issues (M2TS, VC1 interlaced, Lagarith, FFv1.3, + Xvid) by updating codec libraries. + - Bring fluidsynth back on Mac OS X + - Fix some Opus crashes with some filters + - Fix teletext crash on Windows + + Demuxers: + - Avoid an infinite recursion in MKV tags parsing + - Fix an issue with some Vobsub tracks + - Fix missing samples at the end of some wav files + - Fix divide by 0 on ASF/WMV parsing + + Audio output: + - Fix audio device selection via command line on Mac OS X + - Fix audio crashes on Mac OS X + + Video Output: + - Fix selection of DirectDraw as the default output for XP + - Fix transform off-by-one issue + - Fix screensaver disabling on Windows outputs + - Fix DirectDraw device enumeration and multi-display output + - Fix a potential crash when playing a fullscreen game at the same time as VLC + + Stream output: + - Fix 24bits audio MTU alignment in RTP + - Fix record file names + + Qt interface: + - Fix minimal size possible on start + - Fix a crash with the simple volume widget + - Fix a crash in the audio menu building + - Fix multimedia keys issues on Windows + - Fix opening of DVD and BD folders on Windows ++++ 1093 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.2:Update/.vlc.5224.new/vlc.changes New: ---- 0001-no-return-in-non-void.patch vlc-2.1.5-fix-skins2-default-skin-creation.patch vlc-2.1.6-CVE-2016-3941.patch vlc-2.1.6-CVE-2016-5108.patch vlc-2.1.6.tar.xz vlc.changes vlc.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vlc.spec ++++++ ++++ 1010 lines (skipped) ++++++ 0001-no-return-in-non-void.patch ++++++ diff --git a/modules/access/v4l2/demux.c b/modules/access/v4l2/demux.c index 73af8ce..8ffad6f 100644 --- a/modules/access/v4l2/demux.c +++ b/modules/access/v4l2/demux.c @@ -629,6 +629,7 @@ static void *MmapThread (void *data) } assert (0); + return NULL; /* dead code, but the compiler can't know */ } static void *ReadThread (void *data) @@ -691,6 +692,7 @@ static void *ReadThread (void *data) #endif } assert (0); + return NULL; /* dead code, but the compiler can't know */ } static int DemuxControl( demux_t *demux, int query, va_list args ) diff --git a/modules/control/dbus/dbus.c b/modules/control/dbus/dbus.c index 8d7dc6e..cc924aa 100644 --- a/modules/control/dbus/dbus.c +++ b/modules/control/dbus/dbus.c @@ -880,6 +880,7 @@ static void *Run( void *data ) vlc_restorecancel( canc ); } assert(0); + return NULL; /* dead code, but the compiler can't know */ } static void wakeup_main_loop( void *p_data ) diff --git a/modules/control/motion.c b/modules/control/motion.c index 72d7ec6..49c5620 100644 --- a/modules/control/motion.c +++ b/modules/control/motion.c @@ -190,6 +190,7 @@ static void *RunIntf( void *data ) vlc_restorecancel( canc ); } assert(0); + return NULL; /* dead code, but the compiler can't know */ } #undef LOW_THRESHOLD #undef HIGH_THRESHOLD diff --git a/modules/control/motionlib.c b/modules/control/motionlib.c index 9d24ced..b087410 100644 --- a/modules/control/motionlib.c +++ b/modules/control/motionlib.c @@ -196,6 +196,7 @@ static int GetOrientation( motion_sensors_t *motion ) default: assert( 0 ); } + return 0; /* dead code, but the compiler can't know */ } /***************************************************************************** diff --git a/modules/stream_out/rtp.c b/modules/stream_out/rtp.c index 62c89b7..81f884a 100644 --- a/modules/stream_out/rtp.c +++ b/modules/stream_out/rtp.c @@ -1501,6 +1501,7 @@ static void *rtp_listen_thread( void *data ) } assert( 0 ); + return NULL; /* dead code, but the compiler can't know */ } diff --git a/modules/visualization/visual/visual.c b/modules/visualization/visual/visual.c index 0baa2bc..6b788cb 100644 --- a/modules/visualization/visual/visual.c +++ b/modules/visualization/visual/visual.c @@ -366,6 +366,7 @@ static void *Thread( void *data ) vlc_restorecancel( canc ); } assert(0); + return NULL; } static block_t *DoWork( filter_t *p_filter, block_t *p_in_buf ) diff --git a/src/misc/events.c b/src/misc/events.c index b430ee5..29c387f 100644 --- a/src/misc/events.c +++ b/src/misc/events.c @@ -271,6 +271,7 @@ int vlc_event_attach( vlc_event_manager_t * p_em, FOREACH_END() /* Unknown event = BUG */ assert( 0 ); + return 0; } /** ++++++ vlc-2.1.5-fix-skins2-default-skin-creation.patch ++++++ Author: Stefan Seyfried <[email protected]> New tar defaults create PAX archives which have two problems: * VLC cannot read them * they contain atime and thus the build time Avoid this by passign "--format=ustar" to tar when creating skins2/default.vlt Index: b/share/Makefile.am =================================================================== --- a/share/Makefile.am +++ b/share/Makefile.am @@ -79,7 +79,7 @@ skins2/default.vlt: $(skins2_default_vlt mkdir -p skins2 (cd "$(srcdir)/skins2"; find default -print0 | \ LC_ALL=C sort -z | \ - tar cvv --exclude .svn --no-recursion --null -T -) | \ + tar cvv --format=ustar --exclude .svn --no-recursion --null -T -) | \ gzip -n > skins2/default.vlt # Index: b/share/Makefile.in =================================================================== --- a/share/Makefile.in +++ b/share/Makefile.in @@ -1757,7 +1757,7 @@ skins2/default.vlt: $(skins2_default_vlt mkdir -p skins2 (cd "$(srcdir)/skins2"; find default -print0 | \ LC_ALL=C sort -z | \ - tar cvv --exclude .svn --no-recursion --null -T -) | \ + tar cvv --format=ustar --exclude .svn --no-recursion --null -T -) | \ gzip -n > skins2/default.vlt .lua.luac: ++++++ vlc-2.1.6-CVE-2016-3941.patch ++++++ m 321fa90d585b9ebcb317cf6e575edf2bb952b687 Mon Sep 17 00:00:00 2001 From: =?utf8?q?R=C3=A9mi=20Denis-Courmont?= <[email protected]> Date: Thu, 29 Jan 2015 19:15:53 +0200 Subject: [PATCH] stream: handle seek across EOF correctly (hopefully) MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit (cherry picked from commit 6419254f5bb5ae06b72c93c9b52cd0a3bbbacb94) Signed-off-by: Felix Paul Kühne <[email protected]> --- src/input/stream.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/input/stream.c b/src/input/stream.c index 18e77e2..4cceaac 100644 --- a/src/input/stream.c +++ b/src/input/stream.c @@ -1083,15 +1083,15 @@ static int AStreamPeekStream( stream_t *s, const uint8_t **pp_peek, unsigned int /* Be sure we will read something */ p_sys->stream.i_used += tk->i_start + p_sys->stream.i_offset + i_read - tk->i_end; } - if( AStreamRefillStream( s ) ) break; - } - - if( tk->i_end < tk->i_start + p_sys->stream.i_offset + i_read ) - { - i_read = tk->i_end - tk->i_start - p_sys->stream.i_offset; + if( AStreamRefillStream( s ) ) + { + if( tk->i_end < tk->i_start + p_sys->stream.i_offset ) + return 0; /* EOF */ + i_read = tk->i_end - tk->i_start - p_sys->stream.i_offset; + break; + } } - /* Now, direct pointer or a copy ? */ i_off = (tk->i_start + p_sys->stream.i_offset) % STREAM_CACHE_TRACK_SIZE; if( i_off + i_read <= STREAM_CACHE_TRACK_SIZE ) -- 1.7.10.4 ++++++ vlc-2.1.6-CVE-2016-5108.patch ++++++ >From c2d2c3698e47402ec36ecc6c8a85781dbd88b6a9 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Rafa=C3=ABl=20Carr=C3=A9?= <[email protected]> Date: Wed, 25 May 2016 10:00:25 +0200 Subject: [PATCH 1/1] adpcm: reject invalid QuickTime IMA files DecodeAdpcmImaQT() can only decode up to stereo files. Fix out of bound write. Reported by: Patrick Coleman <[email protected]> Signed-off-by: Jean-Baptiste Kempf <[email protected]> (cherry picked from commit 458ed62bbeb9d1bddf7b8df104e14936408a3db9) Signed-off-by: Jean-Baptiste Kempf <[email protected]> --- modules/codec/adpcm.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/codec/adpcm.c b/modules/codec/adpcm.c index e655c45..0071077 100644 --- a/modules/codec/adpcm.c +++ b/modules/codec/adpcm.c @@ -174,6 +174,12 @@ static int OpenDecoder( vlc_object_t *p_this ) switch( p_dec->fmt_in.i_codec ) { case VLC_FOURCC('i','m','a', '4'): /* IMA ADPCM */ + if (p_dec->fmt_in.audio.i_channels > 2) { + free(p_sys); + msg_Err(p_dec, "Invalid number of channels %i", + p_dec->fmt_in.audio.i_channels ); + return VLC_EGENERIC; + } p_sys->codec = ADPCM_IMA_QT; break; case VLC_CODEC_ADPCM_IMA_WAV: /* IMA ADPCM */ -- 1.7.10.4
