Sophie: mplayer-1.0-1.pre7.12.4.20060mdk src

mplayer-1.0-1.pre7.12.4.20060mdk.src.rpm

--- MPlayer-1.0pre7/libavcodec/4xm.c.cve-2006-4800	2005-04-16 14:41:13.000000000 -0600
+++ MPlayer-1.0pre7/libavcodec/4xm.c	2006-09-25 11:54:03.000000000 -0600
@@ -606,7 +606,7 @@ static int decode_frame(AVCodecContext *
     int i, frame_4cc, frame_size;
 
     frame_4cc= get32(buf);
-    if(buf_size != get32(buf+4)+8){
+    if(buf_size != get32(buf+4)+8 || buf_size < 20){
         av_log(f->avctx, AV_LOG_ERROR, "size missmatch %d %d\n", buf_size, get32(buf+4));
     }
 
@@ -634,6 +634,10 @@ static int decode_frame(AVCodecContext *
         cfrm= &f->cfrm[i];
         
         cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE);
+        if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL
+            av_log(f->avctx, AV_LOG_ERROR, "realloc falure");
+            return -1;
+        }
         
         memcpy(cfrm->data + cfrm->size, buf+20, data_size);
         cfrm->size += data_size;
--- MPlayer-1.0pre7/libavcodec/alac.c.cve-2006-4800	2005-04-16 14:41:13.000000000 -0600
+++ MPlayer-1.0pre7/libavcodec/alac.c	2006-09-25 11:52:50.000000000 -0600
@@ -92,6 +92,10 @@ void alac_set_info(ALACContext *alac)
     ptr += 4; /* alac */
     ptr += 4; /* 0 ? */
 
+    if(BE_32(ptr) >= UINT_MAX/4){
+        av_log(alac->avctx, AV_LOG_ERROR, "setinfo_max_samples_per_frame too large\n");
+        return -1;
+    }
     alac->setinfo_max_samples_per_frame = BE_32(ptr); /* buffer size / 2 ? */
     ptr += 4;
     alac->setinfo_7a = *ptr++;
@@ -110,6 +114,8 @@ void alac_set_info(ALACContext *alac)
     ptr += 4;
 
     allocate_buffers(alac);
+
+    return 0;
 }
 
 /* hideously inefficient. could use a bitmask search,
--- MPlayer-1.0pre7/libavcodec/dtsdec.c.cve-2006-4800	2005-04-16 14:41:13.000000000 -0600
+++ MPlayer-1.0pre7/libavcodec/dtsdec.c	2006-09-25 11:56:24.000000000 -0600
@@ -33,8 +33,7 @@
 #include <malloc.h>
 #endif
 
-#define INBUF_SIZE 4096
-#define BUFFER_SIZE 4096
+#define BUFFER_SIZE 18726
 #define HEADER_SIZE 14
 
 #ifdef LIBDTS_FIXED
@@ -231,9 +230,11 @@ dts_decode_frame (AVCodecContext *avctx,
       memcpy (bufptr, start, len);
       bufptr += len;
       start += len;
-      if (bufptr == bufpos)
-        {
-          if (bufpos == buf + HEADER_SIZE)
+      if (bufptr != bufpos)
+          return start - buff;
+      if (bufpos != buf + HEADER_SIZE)
+          break;
+
             {
               int length;
 
@@ -248,7 +249,8 @@ dts_decode_frame (AVCodecContext *avctx,
                 }
               bufpos = buf + length;
             }
-          else
+    }
+
             {
               level_t level;
               sample_t bias;
@@ -280,16 +282,14 @@ dts_decode_frame (AVCodecContext *avctx,
                 }
               bufptr = buf;
               bufpos = buf + HEADER_SIZE;
-              continue;
+              return start-buff;
             error:
               av_log (NULL, AV_LOG_ERROR, "error\n");
               bufptr = buf;
               bufpos = buf + HEADER_SIZE;
             }
-        }
-    }
 
-  return buff_size;
+  return start-buff;
 }
 
 static int
@@ -297,7 +297,7 @@ dts_decode_init (AVCodecContext *avctx)
 {
   avctx->priv_data = dts_init (0);
   if (avctx->priv_data == NULL)
-    return 1;
+    return -1;
 
   return 0;
 }
--- MPlayer-1.0pre7/libavcodec/shorten.c.cve-2006-4800	2005-04-16 14:41:13.000000000 -0600
+++ MPlayer-1.0pre7/libavcodec/shorten.c	2006-09-25 11:52:50.000000000 -0600
@@ -106,18 +106,27 @@ static int shorten_decode_init(AVCodecCo
     return 0;
 }
 
-static void allocate_buffers(ShortenContext *s)
+static int allocate_buffers(ShortenContext *s)
 {
     int i, chan;
     for (chan=0; chan<s->channels; chan++) {
+        if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){
+            av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n");
+            return -1;
+        }
+        if(s->blocksize + s->nwrap >= UINT_MAX/sizeof(int32_t) || s->blocksize + s->nwrap <= (unsigned)s->nwrap){
+            av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n");
+            return -1;
+        }
+
         s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));
 
         s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
         for (i=0; i<s->nwrap; i++)
             s->decoded[chan][i] = 0;
         s->decoded[chan] += s->nwrap;
-
     }
+    return 0;
 }
 
 
--- MPlayer-1.0pre7/libavcodec/snow.c.cve-2006-4800	2006-09-25 11:57:56.000000000 -0600
+++ MPlayer-1.0pre7/libavcodec/snow.c	2006-09-25 12:01:17.000000000 -0600
@@ -3162,6 +3162,12 @@ static int decode_header(SnowContext *s)
     s->qbias= get_symbol(&s->c, s->header_state, 1);
     s->block_max_depth= get_symbol(&s->c, s->header_state, 0);
 
+    if(s->block_max_depth > 1 || s->block_max_depth < 0){
+        av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large", s->block_max_depth);
+        s->block_max_depth= 0;
+        return -1;
+    }
+
     return 0;
 }