diff -u mplayer-1.0~rc1/debian/control mplayer-1.0~rc1/debian/control
--- mplayer-1.0~rc1/debian/control
+++ mplayer-1.0~rc1/debian/control
@@ -1,8 +1,7 @@
 Source: mplayer
 Section: graphics
 Priority: extra
-Maintainer: Ubuntu MOTU Developers <ubuntu-motu@lists.ubuntu.com>
-XSBC-Original-Maintainer: Ubuntu MOTU Media Team <motumedia@tauware.de>
+Maintainer: Ubuntu MOTU Media Team <motumedia@tauware.de>
 Standards-Version: 3.7.2
 Build-Depends: debhelper (>= 5.0.37), libncurses5-dev, libesd0-dev, liblircclient-dev, libgtk2.0-dev, libvorbis-dev, libsdl1.2-dev, sharutils, libasound2-dev (>= 1.0.1), liblzo-dev, gawk, libjpeg62-dev, libaudiofile-dev, libsmbclient-dev, libxv-dev, libpng3-dev, libungif4-dev, libcdparanoia0-dev, libxvidcore4-dev, libdv-dev, liblivemedia-dev (>= 2004.05.01), libfreetype6-dev, em8300-headers, libgl1-mesa-dev | libgl-dev, libdvdread-dev, libdts-dev, libtheora-dev, libglu1-mesa-dev | libglu-dev, libartsc0-dev, libfontconfig-dev, libxxf86dga-dev, libxinerama-dev, libxxf86vm-dev, liblame-dev, libxvmc-dev, libggi2-dev, ttf-bitstream-vera, libmpcdec-dev, libspeex-dev, libfribidi-dev, libfaac-dev, sed (>= 4.0), libaa1-dev, libcaca-dev, libx264-dev (>= 1:0.cvs20060720), libpulse-dev, libmad0-dev, ladspa-sdk, libdbus-glib-1-dev
 XS-Vcs-Bzr: http://bazaar.launchpad.net/~ubuntu-dev/mplayer/ubuntu
diff -u mplayer-1.0~rc1/debian/changelog mplayer-1.0~rc1/debian/changelog
--- mplayer-1.0~rc1/debian/changelog
+++ mplayer-1.0~rc1/debian/changelog
@@ -1,3 +1,12 @@
+mplayer (2:1.0~rc1-0ubuntu9.2) feisty-security; urgency=low
+
+  * SECURITY UPDATE: buffer overrun in mpdemux code (LP: #140891).
+  * libmpdemux/aviheader.c: Apply upstream patch.
+  * References:
+    - CVE-2007-4938
+
+ -- William Grant <william.grant@ubuntu.org.au>  Tue, 06 Nov 2007 17:11:21 +1100
+
 mplayer (2:1.0~rc1-0ubuntu9.1) feisty-security; urgency=low
 
   * SECURITY UPDATE: buffer overrun in cddb code (LP: #118855).
only in patch2:
unchanged:
--- mplayer-1.0~rc1.orig/libmpdemux/aviheader.c
+++ mplayer-1.0~rc1/libmpdemux/aviheader.c
@@ -227,16 +227,16 @@
 	  
       print_avisuperindex_chunk(s,MSGL_V);
       
-      if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
-        mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
-        s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
-      }
-
       // Check and fix this useless crap
       if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) {
           mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry);
           s->wLongsPerEntry = sizeof(avisuperindex_entry)/4;
       }
+      if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
+        mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
+        s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
+      }
+
       s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry));
       s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk));