[MPlayer-cvslog] CVS: main/libmpdemux asf.h, 1.19, 1.20 asfheader.c, 1.48, 1.49 demux_asf.c, 1.46, 1.47
Ivan Kalvachev
ikalvachev at gmail.com
Fri Mar 31 01:09:19 CEST 2006
- Previous message: [MPlayer-cvslog] CVS: main/libmpdemux asf.h, 1.19, 1.20 asfheader.c, 1.48, 1.49 demux_asf.c, 1.46, 1.47
- Next message: [MPlayer-cvslog] CVS: main mplayer.c, 1.924, 1.925 mencoder.c, 1.347, 1.348
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
2006/3/31, Ivan Kalvachev CVS <syncmail at mplayerhq.hu>:
> CVS change done by Ivan Kalvachev CVS
>
> Update of /cvsroot/mplayer/main/libmpdemux
> In directory mail:/var2/tmp/cvs-serv9691
>
> Modified Files:
> asf.h asfheader.c demux_asf.c
> Log Message:
> fix descrambling of asf file,
> where signed buffer could cause erroneous values to be filled in descrable variables,
> add misssing check for one of these variables
> and restore sign of these variables as insurance that these checks will work even in such case.
>
>
> Index: asf.h
> ===================================================================
> RCS file: /cvsroot/mplayer/main/libmpdemux/asf.h,v
> retrieving revision 1.19
> retrieving revision 1.20
> diff -u -r1.19 -r1.20
> --- asf.h 29 Mar 2006 23:25:09 -0000 1.19
> +++ asf.h 30 Mar 2006 23:06:18 -0000 1.20
> @@ -216,9 +216,9 @@
> struct asf_priv {
> ASF_header_t header;
> unsigned char* packet;
> - unsigned scrambling_h;
> - unsigned scrambling_w;
> - unsigned scrambling_b;
> + int scrambling_h;
> + int scrambling_w;
> + int scrambling_b;
> unsigned packetsize;
> double packetrate;
> unsigned movielength;
>
> Index: asfheader.c
> ===================================================================
> RCS file: /cvsroot/mplayer/main/libmpdemux/asfheader.c,v
> retrieving revision 1.48
> retrieving revision 1.49
> diff -u -r1.48 -r1.49
> --- asfheader.c 29 Mar 2006 23:25:09 -0000 1.48
> +++ asfheader.c 30 Mar 2006 23:06:18 -0000 1.49
> @@ -184,7 +184,7 @@
> while ((pos = find_asf_guid(hdr, asf_stream_header_guid, pos, hdr_len)) >= 0)
> {
> ASF_stream_header_t *streamh = (ASF_stream_header_t *)&hdr[pos];
> - char *buffer;
> + uint8_t *buffer;
> pos += sizeof(ASF_stream_header_t);
> if (pos > hdr_len) goto len_err_out;
> le2me_ASF_stream_header_t(streamh);
> @@ -217,7 +217,9 @@
> asf->scrambling_h=buffer[0];
> asf->scrambling_w=(buffer[2]<<8)|buffer[1];
> asf->scrambling_b=(buffer[4]<<8)|buffer[3];
> - asf->scrambling_w/=asf->scrambling_b;
> + if(asf->scrambling_b>0){
> + asf->scrambling_w/=asf->scrambling_b;
> + }
> } else {
> asf->scrambling_b=asf->scrambling_h=asf->scrambling_w=1;
> }
>
> Index: demux_asf.c
> ===================================================================
> RCS file: /cvsroot/mplayer/main/libmpdemux/demux_asf.c,v
> retrieving revision 1.46
> retrieving revision 1.47
> diff -u -r1.46 -r1.47
> --- demux_asf.c 29 Mar 2006 23:25:09 -0000 1.46
> +++ demux_asf.c 30 Mar 2006 23:06:18 -0000 1.47
> @@ -100,7 +100,7 @@
> if(ds->asf_seq!=seq){
> // closed segment, finalize packet:
> if(ds==demux->audio)
> - if(asf->scrambling_h>1 && asf->scrambling_w>1)
> + if(asf->scrambling_h>1 && asf->scrambling_w>1 && asf->scrambling_b>0)
> asf_descrambling(&ds->asf_packet->buffer,ds->asf_packet->len,asf);
> ds_add_packet(ds,ds->asf_packet);
> ds->asf_packet=NULL;
Sorry for committing without warning, but the previous commit really
opened this code for attack that would have been uncessfull without
the sign changes.
I'll take the cola if there is any.
- Previous message: [MPlayer-cvslog] CVS: main/libmpdemux asf.h, 1.19, 1.20 asfheader.c, 1.48, 1.49 demux_asf.c, 1.46, 1.47
- Next message: [MPlayer-cvslog] CVS: main mplayer.c, 1.924, 1.925 mencoder.c, 1.347, 1.348
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the MPlayer-cvslog
mailing list