diff -u mplayer-1.0~rc1/debian/changelog mplayer-1.0~rc1/debian/changelog
--- mplayer-1.0~rc1/debian/changelog
+++ mplayer-1.0~rc1/debian/changelog
@@ -1,3 +1,25 @@
+mplayer (2:1.0~rc1-0ubuntu13.3) gutsy-security; urgency=low
+
+  * SECURITY UPDATE: Multiple integer underflows in MPlayer 1.0_rc2 and
+    earlier allow remote attackers to cause a denial of service
+    (process termination) and possibly execute arbitrary code via a
+    crafted video file that causes the stream_read function to read or
+    write arbitrary memory (LP: #279030)
+    - libmpdemux/demux_real.c: Address various integer underflows. Patch
+      from oCert.org.
+    - http://www.ocert.org/advisories/ocert-2008-013.html
+    - CVE-2008-3827
+  * SECURITY UPDATE: Uncontrolled array index in the sdpplin_parse function in
+    stream/realrtsp/sdpplin.c in MPlayer 1.0 rc2 allows remote attackers to
+    overwrite memory and execute arbitrary code via a large streamid SDP 
+    parameter. (LP: #212601).
+    - Cherrypicked rev 80 from lp:~ubuntu-dev/mplayer/ubuntu (William Grant)
+      stream/realrtsp/sdpplin.c: Properly check the stream ID. Patch from
+      upstream.
+    - CVE-2008-1558
+
+ -- Stefan Lesicnik <stefan@lsd.co.za>  Fri, 10 Oct 2008 20:55:42 +0200
+
 mplayer (2:1.0~rc1-0ubuntu13.2) gutsy-security; urgency=low
 
   * SECURITY UPDATE: buffer overruns in RMMF, CDDB, MOV demuxer, FLAC header
only in patch2:
unchanged:
--- mplayer-1.0~rc1.orig/libmpdemux/demux_real.c
+++ mplayer-1.0~rc1/libmpdemux/demux_real.c
@@ -953,6 +953,7 @@
 			    // last fragment!
 			    if(dp_hdr->len!=vpkg_length-vpkg_offset)
 				mp_msg(MSGT_DEMUX,MSGL_V,"warning! assembled.len=%d  frag.len=%d  total.len=%d  \n",dp->len,vpkg_offset,vpkg_length-vpkg_offset);
+			    if (vpkg_offset > dp->len - sizeof(dp_hdr_t) - dp_hdr->len) vpkg_offset = dp->len - sizeof(dp_hdr_t) - dp_hdr->len;
             		    stream_read(demuxer->stream, dp_data+dp_hdr->len, vpkg_offset);
 			    if((dp_data[dp_hdr->len]&0x20) && (sh_video->format==0x30335652)) --dp_hdr->chunks; else
 			    dp_hdr->len+=vpkg_offset;
@@ -975,6 +976,7 @@
 			// non-last fragment:
 			if(dp_hdr->len!=vpkg_offset)
 			    mp_msg(MSGT_DEMUX,MSGL_V,"warning! assembled.len=%d  offset=%d  frag.len=%d  total.len=%d  \n",dp->len,vpkg_offset,len,vpkg_length);
+			if (len > dp->len - sizeof(dp_hdr_t) - dp_hdr->len) len = dp->len - sizeof(dp_hdr_t) - dp_hdr->len;
             		stream_read(demuxer->stream, dp_data+dp_hdr->len, len);
 			if((dp_data[dp_hdr->len]&0x20) && (sh_video->format==0x30335652)) --dp_hdr->chunks; else
 			dp_hdr->len+=len;
@@ -998,6 +1000,7 @@
 		extra[0]=1; extra[1]=0; // offset of the first chunk
 		if(0x00==(vpkg_header&0xc0)){
 		    // first fragment:
+		    if (len > dp->len - sizeof(dp_hdr_t)) len = dp->len - sizeof(dp_hdr_t);
 		    dp_hdr->len=len;
 		    stream_read(demuxer->stream, dp_data, len);
 		    ds->asf_packet=dp;
only in patch2:
unchanged:
--- mplayer-1.0~rc1.orig/stream/realrtsp/sdpplin.c
+++ mplayer-1.0~rc1/stream/realrtsp/sdpplin.c
@@ -330,7 +330,8 @@
     
     if(filter(data,"a=StreamCount:integer;",&buf)) {
       desc->stream_count=(unsigned int)atoi(buf);
-      desc->stream=malloc(sizeof(sdpplin_stream_t*)*desc->stream_count);
+      desc->stream=calloc(desc->stream_count, sizeof(sdpplin_stream_t*));
+      if (!desc->stream) desc->stream_count = 0;
       handled=1;
       data=nl(data);
     }