summaryrefslogtreecommitdiffstats
path: root/multimedia/mplayer/files/patch-CVE-2006-1502
blob: 4e9fe7e3cf3297144d5e8911e941e24e6b6f4ce4 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

--- libmpdemux/aviheader.c.orig	Tue Feb 22 17:24:18 2005
+++ libmpdemux/aviheader.c	Fri Apr  7 11:56:53 2006
@@ -205,8 +205,10 @@
       break; }
     case mmioFOURCC('i', 'n', 'd', 'x'): {
       uint32_t i;
-      unsigned msize = 0;
       avisuperindex_chunk *s;
+      if(chunksize<=24){
+        break;
+      }
       priv->suidx_size++;
       priv->suidx = realloc(priv->suidx, priv->suidx_size * sizeof (avisuperindex_chunk));
       s = &priv->suidx[priv->suidx_size-1];
@@ -224,11 +226,18 @@
 	  
       print_avisuperindex_chunk(s);
 
-      msize = sizeof (uint32_t) * s->wLongsPerEntry * s->nEntriesInUse;
-      s->aIndex = malloc(msize);
-      memset (s->aIndex, 0, msize);
-      s->stdidx = malloc (s->nEntriesInUse * sizeof (avistdindex_chunk));
-      memset (s->stdidx, 0, s->nEntriesInUse * sizeof (avistdindex_chunk));
+      if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
+        mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
+        s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
+      }
+
+      // Check and fix this useless crap
+      if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) {
+        mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry);
+        s->wLongsPerEntry = sizeof(avisuperindex_entry)/4;
+      }
+      s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry));
+      s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk));
 
       // now the real index of indices
       for (i=0; i<s->nEntriesInUse; i++) {
@@ -636,6 +645,8 @@
     idx->dwChunkLength=len;
     
     c=stream_read_dword(demuxer->stream);
+
+    if(!len) idx->dwFlags&=~AVIIF_KEYFRAME;
 
     // Fix keyframes for DivX files:
     if(idxfix_divx)
--- libmpdemux/asfheader.c.orig	Sat Dec 25 09:31:32 2004
+++ libmpdemux/asfheader.c	Fri Apr  7 11:55:29 2006
@@ -189,7 +189,7 @@
   while ((pos = find_asf_guid(hdr, asf_stream_header_guid, pos, hdr_len)) >= 0)
   {
     ASF_stream_header_t *streamh = (ASF_stream_header_t *)&hdr[pos];
-    char *buffer;
+    uint8_t *buffer;
     pos += sizeof(ASF_stream_header_t);
     if (pos > hdr_len) goto len_err_out;
     le2me_ASF_stream_header_t(streamh);
@@ -222,7 +222,9 @@
           asf_scrambling_h=buffer[0];
           asf_scrambling_w=(buffer[2]<<8)|buffer[1];
           asf_scrambling_b=(buffer[4]<<8)|buffer[3];
-  	  asf_scrambling_w/=asf_scrambling_b;
+          if(asf_scrambling_b>0){
+  	    asf_scrambling_w/=asf_scrambling_b;
+          }
 	} else {
 	  asf_scrambling_b=asf_scrambling_h=asf_scrambling_w=1;
 	}
OpenPOWER on IntegriCloud