Sophie: gstreamer-ffmpeg-0.8.6-1.2.20060mdk src

gstreamer-ffmpeg-0.8.6-1.2.20060mdk.src.rpm

--- gst-ffmpeg-0.8.6/gst-libs/ext/ffmpeg/libavcodec/4xm.c.cve-2006-4800	2005-07-20 09:39:33.000000000 -0600
+++ gst-ffmpeg-0.8.6/gst-libs/ext/ffmpeg/libavcodec/4xm.c	2006-09-21 14:47:58.000000000 -0600
@@ -606,7 +606,7 @@ static int decode_frame(AVCodecContext *
     int i, frame_4cc, frame_size;
 
     frame_4cc= get32(buf);
-    if(buf_size != get32(buf+4)+8){
+    if(buf_size != get32(buf+4)+8 || buf_size < 20){
         av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, get32(buf+4));
     }
 
@@ -634,6 +634,10 @@ static int decode_frame(AVCodecContext *
         cfrm= &f->cfrm[i];
         
         cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE);
+        if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL
+            av_log(f->avctx, AV_LOG_ERROR, "realloc falure");
+            return -1;
+        }
         
         memcpy(cfrm->data + cfrm->size, buf+20, data_size);
         cfrm->size += data_size;
--- gst-ffmpeg-0.8.6/gst-libs/ext/ffmpeg/libavcodec/alac.c.cve-2006-4800	2005-07-20 09:39:33.000000000 -0600
+++ gst-ffmpeg-0.8.6/gst-libs/ext/ffmpeg/libavcodec/alac.c	2006-09-21 14:45:52.000000000 -0600
@@ -92,6 +92,10 @@ void alac_set_info(ALACContext *alac)
     ptr += 4; /* alac */
     ptr += 4; /* 0 ? */
 
+    if(BE_32(ptr) >= UINT_MAX/4){
+        av_log(alac->avctx, AV_LOG_ERROR, "setinfo_max_samples_per_frame too large\n");
+        return -1;
+    }
     alac->setinfo_max_samples_per_frame = BE_32(ptr); /* buffer size / 2 ? */
     ptr += 4;
     alac->setinfo_7a = *ptr++;
@@ -110,6 +114,8 @@ void alac_set_info(ALACContext *alac)
     ptr += 4;
 
     allocate_buffers(alac);
+
+    return 0;
 }
 
 /* hideously inefficient. could use a bitmask search,
--- gst-ffmpeg-0.8.6/gst-libs/ext/ffmpeg/libavcodec/shorten.c.cve-2006-4800	2005-04-21 13:01:29.000000000 -0600
+++ gst-ffmpeg-0.8.6/gst-libs/ext/ffmpeg/libavcodec/shorten.c	2006-09-21 14:45:54.000000000 -0600
@@ -106,18 +106,27 @@ static int shorten_decode_init(AVCodecCo
     return 0;
 }
 
-static void allocate_buffers(ShortenContext *s)
+static int allocate_buffers(ShortenContext *s)
 {
     int i, chan;
     for (chan=0; chan<s->channels; chan++) {
+        if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){
+            av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n");
+            return -1;
+        }
+        if(s->blocksize + s->nwrap >= UINT_MAX/sizeof(int32_t) || s->blocksize + s->nwrap <= (unsigned)s->nwrap){
+            av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n");
+            return -1;
+        }
+
         s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));
 
         s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
         for (i=0; i<s->nwrap; i++)
             s->decoded[chan][i] = 0;
         s->decoded[chan] += s->nwrap;
-
     }
+    return 0;
 }
 
 
--- gst-ffmpeg-0.8.6/gst-libs/ext/ffmpeg/libavcodec/vorbis.c.cve-2006-4800	2005-07-20 09:39:33.000000000 -0600
+++ gst-ffmpeg-0.8.6/gst-libs/ext/ffmpeg/libavcodec/vorbis.c	2006-09-21 14:45:16.000000000 -0600
@@ -743,10 +743,17 @@ static int vorbis_parse_id_hdr(vorbis_co
     bl1=get_bits(gb, 4);
     vc->blocksize_0=(1<<bl0);
     vc->blocksize_1=(1<<bl1);
-    if (bl0>13 || bl0<6 || bl1>13 || bl1<6) {
+    if (bl0>13 || bl0<6 || bl1>13 || bl1<6 || bl1<bl0) {
         av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis id header packet corrupt (illegal blocksize). \n");
         return 3;
     }
+    // output format int16
+    if (vc->blocksize_1/2 * vc->audio_channels * 2 >
+                                             AVCODEC_MAX_AUDIO_FRAME_SIZE) {
+        av_log(vc->avccontext, AV_LOG_ERROR, "Vorbis channel count makes "
+               "output packets too large.\n");
+        return 4;
+    }
     vc->swin=vwin[bl0-6];
     vc->lwin=vwin[bl1-6];