diff -u vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/debian/changelog vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/debian/changelog --- vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/debian/changelog +++ vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/debian/changelog @@ -1,3 +1,36 @@ +vlc (0.8.6.release.e+x264svn20071224+faad2.6.1-0ubuntu3.1) hardy-security; urgency=low + + * SECURITY UPDATE: multiple denials of service, arbitrary code execution and + arbitrary file overwriting vulnerabilities. (LP: #238873) + - debian/patches/032_CVE-2007-6683.diff: Assume unsafe Mozilla variable + settings. Fixes file overwriting. Patch from upstream git. + - debian/patches/033_CVE-2008-0073.diff: Check that the RTSP stream ID + isn't too large. Fixes arbitrary code execution. Patch from upstream git. + - debian/patches/034_CVE-2008-1686.diff: Check that the Speex header mode + is positive. Fixes arbitrary code execution. Patch from upstream git. + - debian/patches/038_CVE-2008-1768.diff: Fix a buffer overflow in the MP4 + decoder, and an integer overflow in both the Cinepak and Real decoders. + Patches from upstream git. + - debian/patches/035_CVE-2008-1769.diff: Perform an appropriate boundary + check on frames in Cinepak streams. Fixes denial of service. Patch from + upstream git. + - debian/patches/036_CVE-2008-1881.diff: Fix subtitle format strings. + Properly fixes CVE-2007-6681, an arbitrary code execution vulnerability. + Patch from upstream git. + - debian/patches/037_CVE-2008-2147.diff: Only search for plugins in the + normal path. Fixes arbitrary code execution. Patch from upstream git. + - References: + + CVE-2007-6681 + + CVE-2007-6683 + + CVE-2008-0073 + + CVE-2008-1686 + + CVE-2008-1768 + + CVE-2008-1769 + + CVE-2008-1881 + + CVE-2008-2147 + + -- William Grant Tue, 24 Jun 2008 23:20:22 +1000 + vlc (0.8.6.release.e+x264svn20071224+faad2.6.1-0ubuntu3) hardy; urgency=low * debian/control: Make vlc-plugin-pulse a dependency of vlc, to enable pulseaudio diff -u vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/debian/patches/series vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/debian/patches/series --- vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/debian/patches/series +++ vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/debian/patches/series @@ -11,0 +12,7 @@ +032_CVE-2007-6683.diff +033_CVE-2008-0073.diff +034_CVE-2008-1686.diff +035_CVE-2008-1769.diff +036_CVE-2008-1881.diff +037_CVE-2008-2147.diff +038_CVE-2008-1768.diff only in patch2: unchanged: --- vlc-0.8.6.release.e+x264svn20071224+faad2.6.1.orig/debian/patches/035_CVE-2008-1769.diff +++ vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/debian/patches/035_CVE-2008-1769.diff @@ -0,0 +1,97 @@ +Index: vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/modules/codec/cinepak.c +=================================================================== +--- vlc-0.8.6.release.e+x264svn20071224+faad2.6.1.orig/modules/codec/cinepak.c 2008-06-24 18:19:40.000000000 +1000 ++++ vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/modules/codec/cinepak.c 2008-06-24 18:19:57.000000000 +1000 +@@ -59,8 +59,8 @@ + { + int b_grayscale; /* force to grayscale */ + +- int i_width; +- int i_height; ++ unsigned int i_width; ++ unsigned int i_height; + + int i_stride_x; + int i_stride_y; +@@ -89,7 +89,7 @@ + + static picture_t *DecodeBlock ( decoder_t *, block_t ** ); + +-static int cinepak_decode_frame( cinepak_context_t *, int, uint8_t * ); ++static int cinepak_decode_frame( cinepak_context_t *, size_t, uint8_t * ); + + /***************************************************************************** + * OpenDecoder: probe the decoder and return score +@@ -282,6 +282,16 @@ + uint8_t i_index[4]; + int i,j; + ++ size_t y_max = p_context->i_stride[0] * ( i_y + 5 ) + i_x + 5; ++ size_t u_max = p_context->i_stride[1] * ( ( i_y/2 ) + 2 ) + 2 + ( i_x / 2 ); ++ size_t v_max = p_context->i_stride[2] * ( ( i_y/2 ) + 2 ) + 2 + ( i_x / 2 ); ++ size_t y_siz = p_context->i_stride[0] * p_context->i_lines[0]; ++ size_t u_siz = p_context->i_stride[1] * p_context->i_lines[1]; ++ size_t v_siz = p_context->i_stride[2] * p_context->i_lines[2]; ++ /* boundary check */ ++ if( y_max >= y_siz || u_max >= u_siz || v_max >= v_siz ) ++ return; ++ + uint8_t *p_dst_y, *p_dst_u, *p_dst_v; + #define PIX_SET_Y( x, y, v ) \ + p_dst_y[(x) + (y)* p_context->i_stride[0]] = (v); +@@ -329,6 +339,16 @@ + uint8_t i_index; + int i,j; + ++ size_t y_max = p_context->i_stride[0] * ( i_y + 5 ) + i_x + 5; ++ size_t u_max = p_context->i_stride[1] * ( ( i_y/2 ) + 2 ) + 2 + ( i_x / 2 ); ++ size_t v_max = p_context->i_stride[2] * ( ( i_y/2 ) + 2 ) + 2 + ( i_x / 2 ); ++ size_t y_siz = p_context->i_stride[0] * p_context->i_lines[0]; ++ size_t u_siz = p_context->i_stride[1] * p_context->i_lines[1]; ++ size_t v_siz = p_context->i_stride[2] * p_context->i_lines[2]; ++ /* boundary check */ ++ if( y_max >= y_siz || u_max >= u_siz || v_max >= v_siz ) ++ return; ++ + uint8_t *p_dst_y, *p_dst_u, *p_dst_v; + #define PIX_SET_Y( x, y, v ) \ + p_dst_y[(x) + (y)* p_context->i_stride[0]] = (v); +@@ -371,14 +391,14 @@ + * The function that decode one frame + *****************************************************************************/ + static int cinepak_decode_frame( cinepak_context_t *p_context, +- int i_length, uint8_t *p_data ) ++ size_t i_length, uint8_t *p_data ) + { + int i_strip; + +- int i_frame_flags; +- int i_frame_size; +- int i_width, i_height; +- int i_frame_strips; ++ int8_t i_frame_flags; ++ uint32_t i_frame_size; ++ uint16_t i_width, i_height; ++ uint16_t i_frame_strips; + int i_index; + int i_strip_x1 =0, i_strip_y1=0; + int i_strip_x2 =0, i_strip_y2=0; +@@ -447,15 +467,15 @@ + /* Now decode each strip */ + for( i_strip = 0; i_strip < i_frame_strips; i_strip++ ) + { +- int i_strip_id; +- int i_strip_size; ++ uint16_t i_strip_size; + + if( i_length <= 12 ) + { + break; + } + +- i_strip_id = GET2BYTES( p_data ); ++ p_data += 2; /* int16_t i_strip_id = GET2BYTES( p_data ); */ ++ + i_strip_size = GET2BYTES( p_data ); + i_strip_size = __MIN( i_strip_size, i_length ); + /* FIXME I don't really understand how it's work; */ only in patch2: unchanged: --- vlc-0.8.6.release.e+x264svn20071224+faad2.6.1.orig/debian/patches/038_CVE-2008-1768.diff +++ vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/debian/patches/038_CVE-2008-1768.diff @@ -0,0 +1,121 @@ +Index: vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/modules/codec/cinepak.c +=================================================================== +--- vlc-0.8.6.release.e+x264svn20071224+faad2.6.1.orig/modules/codec/cinepak.c 2008-06-24 22:29:28.000000000 +1000 ++++ vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/modules/codec/cinepak.c 2008-06-24 22:29:28.000000000 +1000 +@@ -416,7 +416,7 @@ + i_height = GET2BYTES( p_data ); + i_frame_strips = GET2BYTES( p_data ); + +- if( !i_frame_size || !i_width || !i_height ) ++ if( !i_frame_size || !i_width || !i_height || i_width > 0xffff-3 || i_height > 0xffff-3) + { + /* Broken header */ + return( -1 ); +Index: vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/modules/demux/mp4/libmp4.c +=================================================================== +--- vlc-0.8.6.release.e+x264svn20071224+faad2.6.1.orig/modules/demux/mp4/libmp4.c 2008-06-24 22:29:27.000000000 +1000 ++++ vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/modules/demux/mp4/libmp4.c 2008-06-24 22:29:28.000000000 +1000 +@@ -37,6 +37,8 @@ + * *look* at the code. + * + *****************************************************************************/ ++#define FREENULL( p ) do { free( p ); p = NULL; } while(0) ++ + #define MP4_BOX_HEADERSIZE( p_box ) \ + ( 8 + ( p_box->i_shortsize == 1 ? 8 : 0 ) \ + + ( p_box->i_type == FOURCC_uuid ? 16 : 0 ) ) +@@ -1641,9 +1643,19 @@ + FREE( p_box->data.p_stdp->i_priority ) + } + ++static void MP4_FreeBox_padb( MP4_Box_t *p_box ) ++{ ++ FREENULL( p_box->data.p_padb->i_reserved1 ); ++ FREENULL( p_box->data.p_padb->i_pad2 ); ++ FREENULL( p_box->data.p_padb->i_reserved2 ); ++ FREENULL( p_box->data.p_padb->i_pad1 ); ++} ++ + static int MP4_ReadBox_padb( stream_t *p_stream, MP4_Box_t *p_box ) + { ++ int code = 0; + unsigned int i; ++ uint32_t count; + + MP4_READBOX_ENTER( MP4_Box_data_padb_t ); + +@@ -1652,19 +1664,21 @@ + + MP4_GET4BYTES( p_box->data.p_padb->i_sample_count ); + +- p_box->data.p_padb->i_reserved1 = +- calloc( sizeof( uint16_t ), ( p_box->data.p_padb->i_sample_count + 1 ) / 2 ); +- p_box->data.p_padb->i_pad2 = +- calloc( sizeof( uint16_t ), ( p_box->data.p_padb->i_sample_count + 1 ) / 2 ); +- p_box->data.p_padb->i_reserved2 = +- calloc( sizeof( uint16_t ), ( p_box->data.p_padb->i_sample_count + 1 ) / 2 ); +- p_box->data.p_padb->i_pad1 = +- calloc( sizeof( uint16_t ), ( p_box->data.p_padb->i_sample_count + 1 ) / 2 ); ++ count = (p_box->data.p_padb->i_sample_count + 1) / 2; + ++ p_box->data.p_padb->i_reserved1 = calloc( count, sizeof(uint16_t) ); ++ p_box->data.p_padb->i_pad2 = calloc( count, sizeof(uint16_t) ); ++ p_box->data.p_padb->i_reserved2 = calloc( count, sizeof(uint16_t) ); ++ p_box->data.p_padb->i_pad1 = calloc( count, sizeof(uint16_t) ); + + for( i = 0; i < i_read / 2 ; i++ ) + { +- p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 7 )&0x01; ++ if( i >= count ) ++ { ++ MP4_FreeBox_padb( p_box ); ++ goto error; ++ } ++ p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 7 )&0x01; + p_box->data.p_padb->i_pad2[i] = ( (*p_peek) >> 4 )&0x07; + p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 3 )&0x01; + p_box->data.p_padb->i_pad1[i] = ( (*p_peek) )&0x07; +@@ -1677,15 +1691,10 @@ + i_read / 2 ); + + #endif +- MP4_READBOX_EXIT( 1 ); +-} ++ code = 1; + +-static void MP4_FreeBox_padb( MP4_Box_t *p_box ) +-{ +- FREE( p_box->data.p_padb->i_reserved1 ); +- FREE( p_box->data.p_padb->i_pad2 ); +- FREE( p_box->data.p_padb->i_reserved2 ); +- FREE( p_box->data.p_padb->i_pad1 ); ++error: ++ MP4_READBOX_EXIT( code ); + } + + static int MP4_ReadBox_elst( stream_t *p_stream, MP4_Box_t *p_box ) +Index: vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/modules/demux/real.c +=================================================================== +--- vlc-0.8.6.release.e+x264svn20071224+faad2.6.1.orig/modules/demux/real.c 2007-11-22 09:23:22.000000000 +1100 ++++ vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/modules/demux/real.c 2008-06-24 22:29:28.000000000 +1000 +@@ -1082,18 +1082,16 @@ + tk->i_subpackets = + i_subpacket_h * i_frame_size / tk->i_subpacket_size; + tk->p_subpackets = +- malloc( tk->i_subpackets * sizeof(block_t *) ); ++ calloc( tk->i_subpackets, sizeof(block_t *) ); + } + else if( fmt.i_codec == VLC_FOURCC('2','8','_','8') ) + { + tk->i_subpackets = + i_subpacket_h * i_frame_size / tk->i_coded_frame_size; + tk->p_subpackets = +- malloc( tk->i_subpackets * sizeof(block_t *) ); ++ calloc( tk->i_subpackets, sizeof(block_t *) ); + } + +- for( i = 0; i < tk->i_subpackets; i++ ) tk->p_subpackets[i] = NULL; +- + tk->p_es = es_out_Add( p_demux->out, &fmt ); + + TAB_APPEND( p_sys->i_track, p_sys->track, tk ); only in patch2: unchanged: --- vlc-0.8.6.release.e+x264svn20071224+faad2.6.1.orig/debian/patches/034_CVE-2008-1686.diff +++ vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/debian/patches/034_CVE-2008-1686.diff @@ -0,0 +1,13 @@ +Index: vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/modules/codec/speex.c +=================================================================== +--- vlc-0.8.6.release.e+x264svn20071224+faad2.6.1.orig/modules/codec/speex.c 2008-06-24 18:18:32.000000000 +1000 ++++ vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/modules/codec/speex.c 2008-06-24 18:18:44.000000000 +1000 +@@ -332,7 +332,7 @@ + msg_Err( p_dec, "cannot read Speex header" ); + return VLC_EGENERIC; + } +- if( p_header->mode >= SPEEX_NB_MODES ) ++ if( p_header->mode >= SPEEX_NB_MODES || p_header->mode < 0 ) + { + msg_Err( p_dec, "mode number %d does not (yet/any longer) exist in " + "this version of libspeex.", p_header->mode ); only in patch2: unchanged: --- vlc-0.8.6.release.e+x264svn20071224+faad2.6.1.orig/debian/patches/037_CVE-2008-2147.diff +++ vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/debian/patches/037_CVE-2008-2147.diff @@ -0,0 +1,16 @@ +Index: vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/src/misc/modules.c +=================================================================== +--- vlc-0.8.6.release.e+x264svn20071224+faad2.6.1.orig/src/misc/modules.c 2008-06-24 18:23:39.000000000 +1000 ++++ vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/src/misc/modules.c 2008-06-24 18:23:55.000000000 +1000 +@@ -752,8 +752,10 @@ + /* Yes, there are two NULLs because we replace one with "plugin-path". */ + #if defined( WIN32 ) || defined( UNDER_CE ) + char *path[] = { "modules", "", "plugins", 0, 0 }; +-#else ++#elif defined( SYS_BEOS ) || defined( __APPLE__ ) + char *path[] = { "modules", PLUGIN_PATH, "plugins", 0, 0 }; ++#else ++ char *path[] = { PLUGIN_PATH, NULL, NULL }; + #endif + + char **ppsz_path = path; only in patch2: unchanged: --- vlc-0.8.6.release.e+x264svn20071224+faad2.6.1.orig/debian/patches/032_CVE-2007-6683.diff +++ vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/debian/patches/032_CVE-2007-6683.diff @@ -0,0 +1,59 @@ +Index: vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/src/libvlc.c +=================================================================== +--- vlc-0.8.6.release.e+x264svn20071224+faad2.6.1.orig/src/libvlc.c 2008-06-24 18:12:42.000000000 +1000 ++++ vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/src/libvlc.c 2008-06-24 18:12:53.000000000 +1000 +@@ -1054,6 +1054,7 @@ + int VLC_VariableSet( int i_object, char const *psz_var, vlc_value_t value ) + { + vlc_t *p_vlc = vlc_current_object( i_object ); ++ module_config_t *p_item; + int i_ret; + + if( !p_vlc ) +@@ -1064,38 +1065,15 @@ + /* FIXME: Temporary hack for Mozilla, if variable starts with conf:: then + * we handle it as a configuration variable. Don't tell Gildas :) -- sam */ + if( !strncmp( psz_var, "conf::", 6 ) ) +- { +- module_config_t *p_item; +- char const *psz_newvar = psz_var + 6; +- +- p_item = config_FindConfig( VLC_OBJECT(p_vlc), psz_newvar ); +- +- if( p_item ) +- { +- switch( p_item->i_type ) +- { +- case CONFIG_ITEM_BOOL: +- config_PutInt( p_vlc, psz_newvar, value.b_bool ); +- break; +- case CONFIG_ITEM_INTEGER: +- config_PutInt( p_vlc, psz_newvar, value.i_int ); +- break; +- case CONFIG_ITEM_FLOAT: +- config_PutFloat( p_vlc, psz_newvar, value.f_float ); +- break; +- default: +- config_PutPsz( p_vlc, psz_newvar, value.psz_string ); +- break; +- } +- if( i_object ) vlc_object_release( p_vlc ); +- return VLC_SUCCESS; +- } +- } ++ psz_var += 6; + +- i_ret = var_Set( p_vlc, psz_var, value ); +- +- if( i_object ) vlc_object_release( p_vlc ); +- return i_ret; ++ p_item = config_FindConfig( VLC_OBJECT(p_vlc), psz_var ); ++ if( !p_item ) ++ return VLC_ENOVAR; ++ ++ /* None of the variables are safe in this LibVLC version (we don't have ++ * the infrastructure in the 0.8.* branch. */ ++ return VLC_EGENERIC; + } + + /***************************************************************************** only in patch2: unchanged: --- vlc-0.8.6.release.e+x264svn20071224+faad2.6.1.orig/debian/patches/036_CVE-2008-1881.diff +++ vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/debian/patches/036_CVE-2008-1881.diff @@ -0,0 +1,45 @@ +Index: vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/modules/demux/subtitle.c +=================================================================== +--- vlc-0.8.6.release.e+x264svn20071224+faad2.6.1.orig/modules/demux/subtitle.c 2008-06-24 18:20:37.000000000 +1000 ++++ vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/modules/demux/subtitle.c 2008-06-24 18:20:54.000000000 +1000 +@@ -686,6 +686,7 @@ + * Specific Subtitle function + *****************************************************************************/ + #define MAX_LINE 8192 ++#define MAX_LINE_STR "8192" /* used in *scanf() regexps */ + static int ParseMicroDvd( demux_t *p_demux, subtitle_t *p_subtitle ) + { + demux_sys_t *p_sys = p_demux->p_sys; +@@ -722,9 +723,9 @@ + i_start = 0; + i_stop = 0; + +- memset( buffer_text, '\0', MAX_LINE ); +- if( sscanf( s, "{%d}{}%8192[^\r\n]", &i_start, buffer_text ) == 2 || +- sscanf( s, "{%d}{%d}%8192[^\r\n]", &i_start, &i_stop, buffer_text ) == 3) ++ memset( buffer_text, '\0', MAX_LINE + 1 ); ++ if( sscanf( s, "{%d}{}%"MAX_LINE_STR"[^\r\n]", &i_start, buffer_text ) == 2 || ++ sscanf( s, "{%d}{%d}%"MAX_LINE_STR"[^\r\n]", &i_start, &i_stop, buffer_text ) == 3) + { + break; + } +@@ -981,7 +982,7 @@ + * Dialogue: Layer#,0:02:40.65,0:02:41.79,Wolf main,Cher,0000,0000,0000,,Et les enregistrements de ses ondes delta ? + */ + if( sscanf( s, +- "Dialogue: %[^,],%d:%d:%d.%d,%d:%d:%d.%d,%81920[^\r\n]", ++ "Dialogue: %"MAX_LINE_STR"0[^,],%d:%d:%d.%d,%d:%d:%d.%d,%"MAX_LINE_STR"0[^\r\n]", + buffer_text2, + &h1, &m1, &s1, &c1, + &h2, &m2, &s2, &c2, +@@ -1074,8 +1075,8 @@ + + i_start = 0; + +- memset( buffer_text, '\0', MAX_LINE ); +- if( sscanf( p, "%d:%d:%d%[ :]%81920[^\r\n]", &h, &m, &s, &c, buffer_text ) == 5 ) ++ memset( buffer_text, '\0', MAX_LINE + 1 ); ++ if( sscanf( p, "%d:%d:%d%[ :]%"MAX_LINE_STR"0[^\r\n]", &h, &m, &s, &c, buffer_text ) == 5 ) + { + i_start = ( (int64_t)h * 3600*1000 + + (int64_t)m * 60*1000 + only in patch2: unchanged: --- vlc-0.8.6.release.e+x264svn20071224+faad2.6.1.orig/debian/patches/033_CVE-2008-0073.diff +++ vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/debian/patches/033_CVE-2008-0073.diff @@ -0,0 +1,80 @@ +Index: vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/modules/access/rtsp/real_sdpplin.c +=================================================================== +--- vlc-0.8.6.release.e+x264svn20071224+faad2.6.1.orig/modules/access/rtsp/real_sdpplin.c 2008-06-24 18:16:17.000000000 +1000 ++++ vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/modules/access/rtsp/real_sdpplin.c 2008-06-24 18:16:36.000000000 +1000 +@@ -138,9 +138,16 @@ + handled=0; + + if(filter(*data,"a=control:streamid=",&buf, BUFLEN)) { +- desc->stream_id=atoi(buf); +- handled=1; +- *data=nl(*data); ++ /* This way negative values are mapped to unfeasibly high ++ * values, and will be discarded afterward ++ */ ++ unsigned long tmp = strtoul(buf, NULL, 10); ++ if ( tmp > UINT16_MAX ) ++ lprintf("stream id out of bound: %lu\n", tmp); ++ else ++ desc->stream_id=tmp; ++ handled=1; ++ *data=nl(*data); + } + if(filter(*data,"a=MaxBitRate:integer;",&buf, BUFLEN)) { + desc->max_bit_rate=atoi(buf); +@@ -254,7 +261,10 @@ + } + stream=sdpplin_parse_stream(&data); + lprintf("got data for stream id %u\n", stream->stream_id); +- desc->stream[stream->stream_id]=stream; ++ if ( stream->stream_id >= desc->stream_count ) ++ lprintf("stream id %u is greater than stream count %u\n", stream->stream_id, desc->stream_count); ++ else ++ desc->stream[stream->stream_id]=stream; + continue; + } + if(filter(data,"a=Title:buffer;",&buf, BUFLEN)) { +@@ -290,10 +300,17 @@ + } + } + if(filter(data,"a=StreamCount:integer;",&buf, BUFLEN)) { +- desc->stream_count=atoi(buf); +- desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count); +- handled=1; +- data=nl(data); ++ /* This way negative values are mapped to unfeasibly high ++ * values, and will be discarded afterward ++ */ ++ unsigned long tmp = strtoul(buf, NULL, 10); ++ if ( tmp > UINT16_MAX ) ++ lprintf("stream count out of bound: %lu\n", tmp); ++ else ++ desc->stream_count = tmp; ++ desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count); ++ handled=1; ++ data=nl(data); + } + if(filter(data,"a=Flags:integer;",&buf, BUFLEN)) { + desc->flags=atoi(buf); +Index: vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/modules/access/rtsp/real_sdpplin.h +=================================================================== +--- vlc-0.8.6.release.e+x264svn20071224+faad2.6.1.orig/modules/access/rtsp/real_sdpplin.h 2008-06-24 18:16:26.000000000 +1000 ++++ vlc-0.8.6.release.e+x264svn20071224+faad2.6.1/modules/access/rtsp/real_sdpplin.h 2008-06-24 18:16:36.000000000 +1000 +@@ -31,7 +31,7 @@ + char *id; + char *bandwidth; + +- int stream_id; ++ uint16_t stream_id; + char *range; + char *length; + char *rtpmap; +@@ -75,7 +75,7 @@ + + int flags; + int is_real_data_type; +- int stream_count; ++ uint16_t stream_count; + char *title; + char *author; + char *copyright;