diff -u mplayer-1.0~rc2/debian/changelog mplayer-1.0~rc2/debian/changelog
--- mplayer-1.0~rc2/debian/changelog
+++ mplayer-1.0~rc2/debian/changelog
@@ -1,3 +1,17 @@
+mplayer (2:1.0~rc2-0ubuntu13.1) hardy-security; urgency=low
+
+  * SECURITY UPDATE: Multiple integer underflows in MPlayer 1.0_rc2 and
+    earlier allow remote attackers to cause a denial of service
+    (process termination) and possibly execute arbitrary code via a
+    crafted video file that causes the stream_read function to read or
+    write arbitrary memory. (LP: #279030)
+    - libmpdemux/demux_real.c - patch from oCert.
+    - References:
+      + CVE-2008-3827
+      + http://www.ocert.org/advisories/ocert-2008-013.html
+
+ -- Stefan Lesicnik <stefan@lsd.co.za>  Wed, 08 Oct 2008 07:51:18 +0200
+
 mplayer (2:1.0~rc2-0ubuntu13) hardy; urgency=low
 
   * SECURITY UPDATE: arbitrary code execution via crafted RTSP stream.
only in patch2:
unchanged:
--- mplayer-1.0~rc2.orig/libmpdemux/demux_real.c
+++ mplayer-1.0~rc2/libmpdemux/demux_real.c
@@ -958,6 +958,7 @@
 			    // last fragment!
 			    if(dp_hdr->len!=vpkg_length-vpkg_offset)
 				mp_msg(MSGT_DEMUX,MSGL_V,"warning! assembled.len=%d  frag.len=%d  total.len=%d  \n",dp->len,vpkg_offset,vpkg_length-vpkg_offset);
+			    if (vpkg_offset > dp->len - sizeof(dp_hdr_t) - dp_hdr->len) vpkg_offset = dp->len - sizeof(dp_hdr_t) - dp_hdr->len;
             		    stream_read(demuxer->stream, dp_data+dp_hdr->len, vpkg_offset);
 			    if((dp_data[dp_hdr->len]&0x20) && (sh_video->format==0x30335652)) --dp_hdr->chunks; else
 			    dp_hdr->len+=vpkg_offset;
@@ -981,6 +982,7 @@
 			// non-last fragment:
 			if(dp_hdr->len!=vpkg_offset)
 			    mp_msg(MSGT_DEMUX,MSGL_V,"warning! assembled.len=%d  offset=%d  frag.len=%d  total.len=%d  \n",dp->len,vpkg_offset,len,vpkg_length);
+			if (len > dp->len - sizeof(dp_hdr_t) - dp_hdr->len) len = dp->len - sizeof(dp_hdr_t) - dp_hdr->len;
             		stream_read(demuxer->stream, dp_data+dp_hdr->len, len);
 			if((dp_data[dp_hdr->len]&0x20) && (sh_video->format==0x30335652)) --dp_hdr->chunks; else
 			dp_hdr->len+=len;
@@ -1003,6 +1005,7 @@
 		extra[0]=1; extra[1]=0; // offset of the first chunk
 		if(0x00==(vpkg_header&0xc0)){
 		    // first fragment:
+		    if (len > dp->len - sizeof(dp_hdr_t)) len = dp->len - sizeof(dp_hdr_t);
 		    dp_hdr->len=len;
 		    stream_read(demuxer->stream, dp_data, len);
 		    ds->asf_packet=dp;