Tag again. I hope this is the good way to do it.

d85ce4a0 · Jean-Baptiste Kempf · 28af5ba3 · 525823a2 · d85ce4a0 · d85ce4a0
Commit d85ce4a0 authored Feb 27, 2008 by Jean-Baptiste Kempf
5 changed files
--- a/ChangeLog
+++ b/ChangeLog
 ------------------------------------------------------------------------
-r25282 | Trax | 2008-02-24 19:58:05 +0000 (Sun, 24 Feb 2008) | 1 line
+r25364 | thresh | 2008-02-26 16:14:14 -0800 (mar, 26 fév 2008) | 2 lines
-Changed paths:
-   M /branches/0.8.6-bugfix/NEWS
+Add one more CVE fixed (this time not really ours, but xinelib's).
+------------------------------------------------------------------------
+r25363 | thresh | 2008-02-26 16:07:15 -0800 (mar, 26 fév 2008) | 2 lines
+Backport [24245] and [24246]
+------------------------------------------------------------------------
+r25362 | thresh | 2008-02-26 15:59:58 -0800 (mar, 26 fév 2008) | 2 lines
+Backport [24247].
+------------------------------------------------------------------------
+r25341 | xtophe | 2008-02-25 14:19:56 -0800 (lun, 25 fév 2008) | 2 lines
+Last update to the changelog and refresh the po
+------------------------------------------------------------------------
+r25282 | Trax | 2008-02-24 11:58:05 -0800 (dim, 24 fév 2008) | 1 line
 NEWS: remove multi-screen improvement for Mac OS X since it isn't included yet
 ------------------------------------------------------------------------

--- a/NEWS
+++ b/NEWS
@@ -11,7 +11,7 @@ Security updates:
 * Subtitle demuxers overflow (CVE-2007-6681)
 * HTTP listener format string injection (CVE-2007-6682)
 * Fixed buffer overflow in the SDL_image library (CVE-2006-4484)
- * Real RTSP overflows (CVE-2008-0295, CVE-2008-0296, VideoLAN-SA-0801)
+ * Real RTSP overflows (CVE-2008-0225, CVE-2008-0295, CVE-2008-0296, VideoLAN-SA-0801)
 * Arbitrary memory overwrite in the MP4 demuxer (CORE-2008-0130, VideoLAN-SA-0802)
 Audio filter:

--- a/modules/access/rtsp/real_rmff.c
+++ b/modules/access/rtsp/real_rmff.c
--- a/modules/access/rtsp/real_rmff.h
+++ b/modules/access/rtsp/real_rmff.h
@@ -29,6 +29,12 @@
 #define RMFF_HEADER_SIZE 0x12
+#define RMFF_FILEHEADER_SIZE 18
+#define RMFF_PROPHEADER_SIZE 50
+#define RMFF_MDPRHEADER_SIZE 46
+#define RMFF_CONTHEADER_SIZE 18
+#define RMFF_DATAHEADER_SIZE 18
 #define FOURCC_TAG( ch0, ch1, ch2, ch3 ) \
        (((long)(unsigned char)(ch3)       ) | \
        ( (long)(unsigned char)(ch2) << 8  ) | \
@@ -234,7 +240,7 @@ int rmff_get_header_size(rmff_header_t *h);
 /*
 * dumps the header <h> to <buffer>. <max> is the size of <buffer>
 */
-int rmff_dump_header(rmff_header_t *h, char *buffer, int max);
+int rmff_dump_header(rmff_header_t *h, void *buffer, int max);
 /*
 * dumps a packet header

--- a/modules/access/rtsp/real_sdpplin.c
+++ b/modules/access/rtsp/real_sdpplin.c
@@ -92,7 +92,7 @@ static char *nl(char *data) {
 static int filter(const char *in, const char *filter, char **out, size_t outlen) {
  int flen=strlen(filter);
-  int len;
+  size_t len;
  if (!in) return 0;
@@ -185,11 +185,13 @@ static sdpplin_stream_t *sdpplin_parse_stream(char **data) {
    }
    if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) {
      decoded = b64_decode(buf, decoded, &(desc->mlti_data_size));
-      desc->mlti_data = malloc(sizeof(char)*desc->mlti_data_size);
+      if ( decoded != NULL ) {
-      memcpy(desc->mlti_data, decoded, desc->mlti_data_size);
+          desc->mlti_data = malloc(sizeof(char)*desc->mlti_data_size);
-      handled=1;
+          memcpy(desc->mlti_data, decoded, desc->mlti_data_size);
-      *data=nl(*data);
+          handled=1;
-      lprintf("mlti_data_size: %i\n", desc->mlti_data_size);
+          *data=nl(*data);
+          lprintf("mlti_data_size: %i\n", desc->mlti_data_size);
+      }
    }
    if(filter(*data,"a=ASMRuleBook:string;",&buf, BUFLEN)) {
      desc->asm_rule_book=strdup(buf);
@@ -237,40 +239,55 @@ sdpplin_t *sdpplin_parse(char *data) {
    free( desc );
    return NULL;
  }
+  desc->stream = NULL;
  memset(desc, 0, sizeof(sdpplin_t));
  while (data && *data) {
    handled=0;
    if (filter(data, "m=", &buf, BUFLEN)) {
-      stream=sdpplin_parse_stream(&data);
+        if ( !desc->stream ) {
-      lprintf("got data for stream id %u\n", stream->stream_id);
+            fprintf(stderr, "sdpplin.c: stream identifier found before stream count, skipping.");
-      desc->stream[stream->stream_id]=stream;
+            continue;
-      continue;
+        }
+        stream=sdpplin_parse_stream(&data);
+        lprintf("got data for stream id %u\n", stream->stream_id);
+        desc->stream[stream->stream_id]=stream;
+        continue;
    }
    if(filter(data,"a=Title:buffer;",&buf, BUFLEN)) {
      decoded=b64_decode(buf, decoded, &len);
-      desc->title=strdup(decoded);
+	  if ( decoded != NULL ) {
-      handled=1;
+          desc->title=strdup(decoded);
-      data=nl(data);
+          handled=1;
+          data=nl(data);
+      }
    }
    if(filter(data,"a=Author:buffer;",&buf, BUFLEN)) {
      decoded=b64_decode(buf, decoded, &len);
-      desc->author=strdup(decoded);
+	  if ( decoded != NULL ) {
-      handled=1;
+          desc->author=strdup(decoded);
-      data=nl(data);
+          handled=1;
+          data=nl(data);
+      }
    }
    if(filter(data,"a=Copyright:buffer;",&buf, BUFLEN)) {
      decoded=b64_decode(buf, decoded, &len);
-      desc->copyright=strdup(decoded);
+	  if ( decoded != NULL ) {
-      handled=1;
+          desc->copyright=strdup(decoded);
-      data=nl(data);
+          handled=1;
+          data=nl(data);
+      }
    }
    if(filter(data,"a=Abstract:buffer;",&buf, BUFLEN)) {
      decoded=b64_decode(buf, decoded, &len);
-      desc->abstract=strdup(decoded);
+      if ( decoded != NULL ) {
-      handled=1;
+           desc->abstract=strdup(decoded);
-      data=nl(data);
+           handled=1;
+           data=nl(data);
+      }
    }
    if(filter(data,"a=StreamCount:integer;",&buf, BUFLEN)) {
      desc->stream_count=atoi(buf);