diff -u mplayer-0.99+1.0pre7try2+cvs20060117/debian/changelog mplayer-0.99+1.0pre7try2+cvs20060117/debian/changelog
--- mplayer-0.99+1.0pre7try2+cvs20060117/debian/changelog
+++ mplayer-0.99+1.0pre7try2+cvs20060117/debian/changelog
@@ -1,3 +1,24 @@
+mplayer (2:0.99+1.0pre7try2+cvs20060117-0ubuntu8.3) dapper-security; urgency=low
+
+  * SECURITY UPDATE: Multiple integer underflows in MPlayer 1.0_rc2 and
+    earlier allow remote attackers to cause a denial of service
+    (process termination) and possibly execute arbitrary code via a
+    crafted video file that causes the stream_read function to read or
+    write arbitrary memory (LP: #279030)
+    - debian/patches/69_CVE-2008-3827.dpatch: Address various integer
+      underflows. Patch from oCert.org.
+    - http://www.ocert.org/advisories/ocert-2008-013.html
+    - CVE-2008-3827
+  * SECURITY UPDATE: Uncontrolled array index in the sdpplin_parse function in
+    stream/realrtsp/sdpplin.c in MPlayer 1.0 rc2 allows remote attackers to
+    overwrite memory and execute arbitrary code via a large streamid SDP
+    parameter. (LP: #212601).
+    - debian/patches/68_CVE-2008-1558.dpatch: Properly check the stream ID.
+      Patch from upstream.
+    - CVE-2008-1558
+
+ -- Stefan Lesicnik <stefan@lsd.co.za>  Fri, 10 Oct 2008 22:23:45 +0200
+
 mplayer (2:0.99+1.0pre7try2+cvs20060117-0ubuntu8.2) dapper-security; urgency=low
 
   * SECURITY UPDATE: buffer overruns in RMMF, CDDB, MOV demuxer, and URL
diff -u mplayer-0.99+1.0pre7try2+cvs20060117/debian/patches/00list mplayer-0.99+1.0pre7try2+cvs20060117/debian/patches/00list
--- mplayer-0.99+1.0pre7try2+cvs20060117/debian/patches/00list
+++ mplayer-0.99+1.0pre7try2+cvs20060117/debian/patches/00list
@@ -17,0 +18,2 @@
+68_CVE-2008-1558.dpatch
+69_CVE-2008-3827.dpatch
only in patch2:
unchanged:
--- mplayer-0.99+1.0pre7try2+cvs20060117.orig/debian/patches/68_CVE-2008-1558.dpatch
+++ mplayer-0.99+1.0pre7try2+cvs20060117/debian/patches/68_CVE-2008-1558.dpatch
@@ -0,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 68_CVE-2008-1558.dpatch by Stefan Lesicnik <stefan@lsd.co.za>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix CVE-2008-1558.
+
+@DPATCH@
+--- libmpdemux/realrtsp/sdpplin.c.patch     2008-10-10 22:05:34.000000000 +0200
++++ mplayer-0.99+1.0pre7try2+cvs20060117/libmpdemux/realrtsp/sdpplin.c   2008-10-10 22:06:45.000000000 +0200
+@@ -290,7 +290,8 @@ sdpplin_t *sdpplin_parse(char *data) {
+
+     if(filter(data,"a=StreamCount:integer;",&buf)) {
+       desc->stream_count=(unsigned int)atoi(buf);
+-      desc->stream=malloc(sizeof(sdpplin_stream_t*)*desc->stream_count);
++      desc->stream=calloc(desc->stream_count, sizeof(sdpplin_stream_t*));
++      if (!desc->stream) desc->stream_count = 0;
+       handled=1;
+       data=nl(data);
+     }
only in patch2:
unchanged:
--- mplayer-0.99+1.0pre7try2+cvs20060117.orig/debian/patches/69_CVE-2008-3827.dpatch
+++ mplayer-0.99+1.0pre7try2+cvs20060117/debian/patches/69_CVE-2008-3827.dpatch
@@ -0,0 +1,33 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 69_CVE-2008-3827.dpatch by Stefan Lesicnik <stefan@lsd.co.za>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix CVE-2008-3827.
+
+@DPATCH@
+--- libmpdemux/demux_real.c	2007-02-03 03:16:07 +0000
++++ mplayer-0.99+1.0pre7try2+cvs20060117/libmpdemux/demux_real.c	2008-10-08 13:27:55 +0000
+@@ -953,6 +953,7 @@
+ 			    // last fragment!
+ 			    if(dp_hdr->len!=vpkg_length-vpkg_offset)
+ 				mp_msg(MSGT_DEMUX,MSGL_V,"warning! assembled.len=%d  frag.len=%d  total.len=%d  \n",dp->len,vpkg_offset,vpkg_length-vpkg_offset);
++			    if (vpkg_offset > dp->len - sizeof(dp_hdr_t) - dp_hdr->len) vpkg_offset = dp->len - sizeof(dp_hdr_t) - dp_hdr->len;
+             		    stream_read(demuxer->stream, dp_data+dp_hdr->len, vpkg_offset);
+ 			    if((dp_data[dp_hdr->len]&0x20) && (sh_video->format==0x30335652)) --dp_hdr->chunks; else
+ 			    dp_hdr->len+=vpkg_offset;
+@@ -975,6 +976,7 @@
+ 			// non-last fragment:
+ 			if(dp_hdr->len!=vpkg_offset)
+ 			    mp_msg(MSGT_DEMUX,MSGL_V,"warning! assembled.len=%d  offset=%d  frag.len=%d  total.len=%d  \n",dp->len,vpkg_offset,len,vpkg_length);
++			if (len > dp->len - sizeof(dp_hdr_t) - dp_hdr->len) len = dp->len - sizeof(dp_hdr_t) - dp_hdr->len;
+             		stream_read(demuxer->stream, dp_data+dp_hdr->len, len);
+ 			if((dp_data[dp_hdr->len]&0x20) && (sh_video->format==0x30335652)) --dp_hdr->chunks; else
+ 			dp_hdr->len+=len;
+@@ -998,6 +1000,7 @@
+ 		extra[0]=1; extra[1]=0; // offset of the first chunk
+ 		if(0x00==(vpkg_header&0xc0)){
+ 		    // first fragment:
++		    if (len > dp->len - sizeof(dp_hdr_t)) len = dp->len - sizeof(dp_hdr_t);
+ 		    dp_hdr->len=len;
+ 		    stream_read(demuxer->stream, dp_data, len);
+ 		    ds->asf_packet=dp;