diff -Nru vlc-2.2.4/debian/changelog vlc-2.2.4/debian/changelog --- vlc-2.2.4/debian/changelog 2017-03-06 06:29:06.000000000 -0600 +++ vlc-2.2.4/debian/changelog 2017-07-09 22:37:06.000000000 -0500 @@ -1,3 +1,23 @@ +vlc (2.2.4-14ubuntu2.1) zesty-security; urgency=high + + * SECURITY UPDATE: Crash due to Out-of-Bound Heap Memory Write (LP: #1693893) + - fix-CVE-2017-10699.patch + - CVE-2017-10699 + * SECURITY UPDATE: Fix potential out of bound reads + - fix-CVE-2017-8310.patch + - CVE-2017-8310 + * SECURITY UPDATE: Fix invalid double increment + - fix-CVE-2017-8311.patch + - CVE-2017-8311 + * SECURITY UPDATE: Fix potential heap buffer overflow + - fix-CVE-2017-8312.patch + - CVE-2017-8312 + * SECURITY UPDATE: ParseJSS: fix out-of-bounds read + - fix-CVE-2017-8313.patch + - CVE-2017-8313 + + -- Simon Quigley Sun, 09 Jul 2017 22:37:06 -0500 + vlc (2.2.4-14ubuntu2) zesty; urgency=medium * No-change rebuild against latest libbluray diff -Nru vlc-2.2.4/debian/patches/fix-CVE-2017-10699.patch vlc-2.2.4/debian/patches/fix-CVE-2017-10699.patch --- vlc-2.2.4/debian/patches/fix-CVE-2017-10699.patch 1969-12-31 18:00:00.000000000 -0600 +++ vlc-2.2.4/debian/patches/fix-CVE-2017-10699.patch 2017-07-09 22:29:32.000000000 -0500 @@ -0,0 +1,40 @@ +Description: check visible size when creating buffer + avcodec 2.2.x, as used in VideoLAN VLC media player 2.2.7-x before + 2017-06-29, allows out-of-bounds heap memory write due to calling memcpy() + with a wrong size, leading to a denial of service (application crash) or + possibly code execution. + . + This fixes CVE-2017-10699. +Author: Francois Cartegnie +Origin: upstream +Applied-Upstream: 6cc73bcad19da2cd2e95671173f2e0d203a57e9b, a38a85db58c569cc592d9380cc07096757ef3d49 +Last-Update: 2017-07-07 +--- a/modules/codec/avcodec/video.c ++++ b/modules/codec/avcodec/video.c +@@ -137,9 +137,11 @@ static inline picture_t *ffmpeg_NewPictB + } + + +- if( width == 0 || height == 0 || width > 8192 || height > 8192 ) ++ if( width == 0 || height == 0 || width > 8192 || height > 8192 || ++ width < p_context->width || height < p_context->height ) + { +- msg_Err( p_dec, "Invalid frame size %dx%d.", width, height ); ++ msg_Err( p_dec, "Invalid frame size %dx%d. vsz %dx%d", ++ width, height, p_context->width, p_context->height ); + return NULL; /* invalid display size */ + } + p_dec->fmt_out.video.i_width = width; +--- a/src/input/decoder.c ++++ b/src/input/decoder.c +@@ -2059,7 +2059,9 @@ static picture_t *vout_new_buffer( decod + vout_thread_t *p_vout; + + if( !p_dec->fmt_out.video.i_width || +- !p_dec->fmt_out.video.i_height ) ++ !p_dec->fmt_out.video.i_height || ++ p_dec->fmt_out.video.i_width < p_dec->fmt_out.video.i_visible_width || ++ p_dec->fmt_out.video.i_height < p_dec->fmt_out.video.i_visible_height ) + { + /* Can't create a new vout without display size */ + return NULL; diff -Nru vlc-2.2.4/debian/patches/fix-CVE-2017-8310.patch vlc-2.2.4/debian/patches/fix-CVE-2017-8310.patch --- vlc-2.2.4/debian/patches/fix-CVE-2017-8310.patch 1969-12-31 18:00:00.000000000 -0600 +++ vlc-2.2.4/debian/patches/fix-CVE-2017-8310.patch 2017-07-09 22:29:32.000000000 -0500 @@ -0,0 +1,48 @@ +Description: Fix potential out of bound reads + Heap out-of-bound read in CreateHtmlSubtitle in VideoLAN VLC 2.2.x due to + missing check of string termination allows attackers to read data beyond + allocated memory and potentially crash the process (causing a denial of + service) via a crafted subtitles file. + . + This fixes CVE-2017-8310. +Author: Yannay Livneh +Origin: upstream +Applied-Upstream: 7cac839692ab79dbfe5e4ebd4c4e37d9a8b1b328 +Last-Update: 2017-07-07 +--- a/modules/codec/subsdec.c ++++ b/modules/codec/subsdec.c +@@ -664,7 +664,7 @@ static char *CreateHtmlSubtitle( int *pi + HtmlCopy( &psz_html, &psz_subtitle, "" ); ++ if (*psz_subtitle == '\0') break; + psz_subtitle++; + } + else if( !strncmp( psz_subtitle, " +Origin: upstream +Applied-Upstream: 775de716add17322f24b476439f903a829446eb6 +Last-Update: 2017-07-07 +--- a/modules/demux/subtitle.c ++++ b/modules/demux/subtitle.c +@@ -1865,7 +1865,7 @@ static int ParseJSS( demux_t *p_demux, s + if( ( toupper((unsigned char)*(psz_text + 1 ) ) == 'C' ) || + ( toupper((unsigned char)*(psz_text + 1 ) ) == 'F' ) ) + { +- psz_text++; psz_text++; ++ psz_text++; + break; + } + if( (*(psz_text + 1 ) ) == 'B' || (*(psz_text + 1 ) ) == 'b' || diff -Nru vlc-2.2.4/debian/patches/fix-CVE-2017-8312.patch vlc-2.2.4/debian/patches/fix-CVE-2017-8312.patch --- vlc-2.2.4/debian/patches/fix-CVE-2017-8312.patch 1969-12-31 18:00:00.000000000 -0600 +++ vlc-2.2.4/debian/patches/fix-CVE-2017-8312.patch 2017-07-09 22:29:32.000000000 -0500 @@ -0,0 +1,40 @@ +Description: Fix potential heap buffer overflow + Heap out-of-bound read in ParseJSS in VideoLAN VLC due to missing check of + string length allows attackers to read heap uninitialized data via a + crafted subtitles file. + . + This fixes CVE-2017-8312. +Author: Hugo Beauzée-Luyssen +Origin: upstream +Applied-Upstream: 611398fc8d32f3fe4331f60b220c52ba3557beaa +Last-Update: 2017-07-07 +--- a/modules/demux/subtitle.c ++++ b/modules/demux/subtitle.c +@@ -1685,7 +1685,8 @@ static int ParseJSS( demux_t *p_demux, s + if( !s ) + return VLC_EGENERIC; + +- psz_orig = malloc( strlen( s ) + 1 ); ++ size_t line_length = strlen( s ); ++ psz_orig = malloc( line_length + 1 ); + if( !psz_orig ) + return VLC_ENOMEM; + psz_text = psz_orig; +@@ -1725,6 +1726,8 @@ static int ParseJSS( demux_t *p_demux, s + { + case 'S': + shift = isalpha( (unsigned char)psz_text[2] ) ? 6 : 2 ; ++ if ( shift > line_length ) ++ continue; + + if( sscanf( &psz_text[shift], "%d", &h ) ) + { +@@ -1762,6 +1765,8 @@ static int ParseJSS( demux_t *p_demux, s + + case 'T': + shift = isalpha( (unsigned char)psz_text[2] ) ? 8 : 2 ; ++ if ( shift > line_length ) ++ continue; + + sscanf( &psz_text[shift], "%d", &p_sys->jss.i_time_resolution ); + break; diff -Nru vlc-2.2.4/debian/patches/fix-CVE-2017-8313.patch vlc-2.2.4/debian/patches/fix-CVE-2017-8313.patch --- vlc-2.2.4/debian/patches/fix-CVE-2017-8313.patch 1969-12-31 18:00:00.000000000 -0600 +++ vlc-2.2.4/debian/patches/fix-CVE-2017-8313.patch 2017-07-09 22:29:32.000000000 -0500 @@ -0,0 +1,24 @@ +Description: ParseJSS: fix out-of-bounds read + The previous loop would continue until a space is found, which of course means + that it would step out of bounds if the string did not contain such. + . + These changes simply terminates the loop if the end of the string is reached. + . + This fixes CVE-2017-8313. +Author: Filip Roséen +Origin: upstream +Applied-Upstream: 05b653355ce303ada3b5e0e645ae717fea39186c +Last-Update: 2017-07-07 +--- a/modules/demux/subtitle.c ++++ b/modules/demux/subtitle.c +@@ -1812,8 +1812,8 @@ static int ParseJSS( demux_t *p_demux, s + /* Parse the directives */ + if( isalpha( (unsigned char)*psz_text ) || *psz_text == '[' ) + { +- while( *psz_text != ' ' ) +- { psz_text++ ;}; ++ while( *psz_text && *psz_text != ' ' ) ++ ++psz_text; + + /* Directives are NOT parsed yet */ + /* This has probably a better place in a decoder ? */ diff -Nru vlc-2.2.4/debian/patches/series vlc-2.2.4/debian/patches/series --- vlc-2.2.4/debian/patches/series 2016-12-09 08:12:49.000000000 -0600 +++ vlc-2.2.4/debian/patches/series 2017-07-09 22:31:14.000000000 -0500 @@ -10,3 +10,8 @@ skins-implement-silent-mode-make.patch skins2-do-not-generate-broken-default.vlt-on-error.patch VLSub-don-t-pretend-to-support-HTTP-1.1.patch +fix-CVE-2017-10699.patch +fix-CVE-2017-8310.patch +fix-CVE-2017-8311.patch +fix-CVE-2017-8312.patch +fix-CVE-2017-8313.patch