tags 401311 + patch thanks Hi,
I extracted the patch for this RC-bug - if you want, I can as well NMU it. Cheers, Andi diff -ur gstreamer0.10-ffmpeg-0.10.1~/debian/changelog gstreamer0.10-ffmpeg-0.10.1/debian/changelog --- gstreamer0.10-ffmpeg-0.10.1~/debian/changelog 2006-12-05 22:10:22.000000000 +0000 +++ gstreamer0.10-ffmpeg-0.10.1/debian/changelog 2006-12-05 22:13:15.000000000 +0000 @@ -1,3 +1,10 @@ +gstreamer0.10-ffmpeg (0.10.1-2.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix buffer overflow in 4XM code (CVE-2006-4800). Closes: #401311 + + -- Andreas Barth <[EMAIL PROTECTED]> Tue, 5 Dec 2006 22:12:38 +0000 + gstreamer0.10-ffmpeg (0.10.1-2) unstable; urgency=low [ Loic Minier ] diff -ur gstreamer0.10-ffmpeg-0.10.1~/gst-libs/ext/ffmpeg/libavcodec/4xm.c gstreamer0.10-ffmpeg-0.10.1/gst-libs/ext/ffmpeg/libavcodec/4xm.c --- gstreamer0.10-ffmpeg-0.10.1~/gst-libs/ext/ffmpeg/libavcodec/4xm.c 2006-03-28 18:43:58.000000000 +0000 +++ gstreamer0.10-ffmpeg-0.10.1/gst-libs/ext/ffmpeg/libavcodec/4xm.c 2006-12-05 22:15:13.000000000 +0000 @@ -606,7 +606,7 @@ int i, frame_4cc, frame_size; frame_4cc= get32(buf); - if(buf_size != get32(buf+4)+8){ + if(buf_size != get32(buf+4)+8 || buf_size < 20){ av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, get32(buf+4)); } @@ -634,6 +634,10 @@ cfrm= &f->cfrm[i]; cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE); + if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL + av_log(f->avctx, AV_LOG_ERROR, "realloc falure"); + return -1; + } memcpy(cfrm->data + cfrm->size, buf+20, data_size); cfrm->size += data_size; -- http://home.arcor.de/andreas-barth/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]