diff -u mplayer-1.0~rc2/debian/changelog mplayer-1.0~rc2/debian/changelog
--- mplayer-1.0~rc2/debian/changelog
+++ mplayer-1.0~rc2/debian/changelog
@@ -1,3 +1,16 @@
+mplayer (2:1.0~rc2-0ubuntu13.2) hardy-security; urgency=low
+
+  * SECURITY UPDATE: Integer signedness error in the fourxm_read_header
+    function in libavformat/4xm.c in FFmpeg before revision 16846 allows
+    remote attackers to execute arbitrary code via a malformed 4X movie
+    file with a large current_track value, which triggers a NULL pointer
+    dereference. (LP: #731625)
+    - libavformat/4xm.c - patch from ffmpeg package in hardy-security
+    - References:
+      + CVE-2009-0385
+
+ -- Firas Kraiem <firas@fkraiem.org>  Tue, 08 Mar 2011 22:53:14 +0100
+
 mplayer (2:1.0~rc2-0ubuntu13.1) hardy-security; urgency=low
 
   * SECURITY UPDATE: Multiple integer underflows in MPlayer 1.0_rc2 and
only in patch2:
unchanged:
--- mplayer-1.0~rc2.orig/libavformat/4xm.c
+++ mplayer-1.0~rc2/libavformat/4xm.c
@@ -163,10 +163,12 @@
                 return AVERROR_INVALIDDATA;
             }
             current_track = AV_RL32(&header[i + 8]);
+            if((unsigned)current_track >= UINT_MAX / sizeof(AudioTrack) - 1){
+                av_log(s, AV_LOG_ERROR, "current_track too large\n");
+                return -1;
+            }
             if (current_track + 1 > fourxm->track_count) {
                 fourxm->track_count = current_track + 1;
-                if((unsigned)fourxm->track_count >= UINT_MAX / sizeof(AudioTrack))
-                    return -1;
                 fourxm->tracks = av_realloc(fourxm->tracks,
                     fourxm->track_count * sizeof(AudioTrack));
                 if (!fourxm->tracks) {