rpms/HelixPlayer/FC-6 HelixPlayer-1.0.7-CVE-2007-3410.patch, NONE, 1.1 HelixPlayer.spec, 1.2, 1.3
Aurelien Bompard (abompard)
fedora-extras-commits at redhat.com
Thu Jun 28 13:05:50 UTC 2007
Author: abompard
Update of /cvs/pkgs/rpms/HelixPlayer/FC-6
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv26452/FC-6
Modified Files:
HelixPlayer.spec
Added Files:
HelixPlayer-1.0.7-CVE-2007-3410.patch
Log Message:
* Thu Jun 28 2007 Aurelien Bompard <abompard at fedoraproject.org> 1:1.0.7-6
- fix bug 245838 (CVE-2007-3410)
HelixPlayer-1.0.7-CVE-2007-3410.patch:
--- NEW FILE HelixPlayer-1.0.7-CVE-2007-3410.patch ---
--- ./datatype/smil/renderer/smil2/smlprstime.cpp.CVE-2007-3410 2004-07-09 03:58:02.000000000 +0200
+++ ./datatype/smil/renderer/smil2/smlprstime.cpp 2007-06-28 13:17:06.000000000 +0200
@@ -938,7 +938,8 @@ SmilTimeValue::parseWallClockValue(REF(c
INT32 sec = 0;
INT32 ms = 0;
- char buf[10]; /* Flawfinder: ignore */
+ /* 11 + NULL terminator */
+ char buf[12] = ""; /* Flawfinder: ignore */
// store offset in min.
INT32 UTCOffset = 0;
@@ -966,8 +967,9 @@ SmilTimeValue::parseWallClockValue(REF(c
++pCh;
}
- if (FAILED(ret))
+ if (FAILED(ret) || !end)
{
+ ret = HXR_FAIL;
CSmilSMILSyntaxErrorHandler errHandler(m_pContext);
errHandler.ReportError(SMILErrorBadWallClockValue, begin,
m_ulStartLine);
@@ -978,7 +980,7 @@ SmilTimeValue::parseWallClockValue(REF(c
if (pT)
{
//YYYY-MM-DDT
- if (*(begin+4) == '-' && *(begin+7) == '-' && pT == (begin+10))
+ if (strlen(begin) >= 10 && *(begin+4) == '-' && *(begin+7) == '-' && pT == (begin+10))
{
pDatePos = begin;
if (pTimeZone < begin+10)
@@ -995,7 +997,7 @@ SmilTimeValue::parseWallClockValue(REF(c
goto cleanup;
}
- if (*(pT+3) == ':')
+ if (strlen(pT) >= 5 && *(pT+3) == ':')
{
pTimePos = pT+1;
}
@@ -1010,7 +1012,7 @@ SmilTimeValue::parseWallClockValue(REF(c
}
// else just the date or time.
//YYYY-MM-DDT
- else if (*(begin+4) == '-' && *(begin+7) == '-' && pT == (begin+10))
+ else if (strlen(begin) >= 10 && *(begin+4) == '-' && *(begin+7) == '-' && pT == (begin+10))
{
// just date
// there is a date.
@@ -1020,7 +1022,7 @@ SmilTimeValue::parseWallClockValue(REF(c
pTimeZone = NULL;
}
}
- else if (*(begin+2) == ':')
+ else if (strlen(begin) >= 5 && *(begin+2) == ':')
{
pTimePos = begin;
}
@@ -1114,7 +1116,7 @@ SmilTimeValue::parseWallClockValue(REF(c
goto cleanup;
}
- if (*(pos-1) == ':')
+ if (strlen(pTimePos) >= 8 && *(pos-1) == ':')
{
strncpy(buf, pos, 2); /* Flawfinder: ignore */
buf[2] = '\0';
@@ -1129,21 +1131,47 @@ SmilTimeValue::parseWallClockValue(REF(c
goto cleanup;
}
- if (*(pos-1) == '.')
+ if (strlen(pTimePos) >= 10 && *(pos-1) == '.')
{
// find end.
UINT32 len = 0;
if (pTimeZone)
{
+ if (pTimeZone <= pos)
+ {
+ ret = HXR_FAIL;
+ CSmilSMILSyntaxErrorHandler errHandler(m_pContext);
+ errHandler.ReportError(SMILErrorBadWallClockValue, pTimePos,
+ m_ulStartLine);
+ goto cleanup;
+ }
len = pTimeZone - pos;
}
else
{
+ if (end <= pos)
+ {
+ ret = HXR_FAIL;
+ CSmilSMILSyntaxErrorHandler errHandler(m_pContext);
+ errHandler.ReportError(SMILErrorBadWallClockValue, pTimePos,
+ m_ulStartLine);
+ goto cleanup;
+ }
len = end - pos;
}
+
+ /*
+ * Need to clamp here. The time can be of unlimited size per SMIL2 spec.
+ * See http://www.w3.org/TR/SMIL2/smil-timing.html#Timing-WallclockSyncValueSyntax
+ * See http://www.w3.org/TR/SMIL2/smil-timing.html#Timing-ClockValueSyntax
+ */
+ if (len > sizeof(buf) - 1)
+ {
+ len = sizeof(buf) - 1;
+ }
+
strncpy(buf, pos, len); /* Flawfinder: ignore */
- buf[len] = '\0';
- pos += len;
+ buf[len] = '\0';
if (*buf)
{
if (isdigit(*buf))
@@ -1182,7 +1210,7 @@ SmilTimeValue::parseWallClockValue(REF(c
UTCOffset = 0;
bSyntaxOK = TRUE;
}
- else if ((*pTimeZone == '+' || *pTimeZone == '-') && *(pTimeZone+3) == ':')
+ else if (strlen(pTimeZone) >= 6 && (*pTimeZone == '+' || *pTimeZone == '-') && *(pTimeZone+3) == ':')
{
m_bRelativeToUTC = TRUE;
int sign = 1;
Index: HelixPlayer.spec
===================================================================
RCS file: /cvs/pkgs/rpms/HelixPlayer/FC-6/HelixPlayer.spec,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- HelixPlayer.spec 8 Dec 2006 22:07:40 -0000 1.2
+++ HelixPlayer.spec 28 Jun 2007 13:05:14 -0000 1.3
@@ -2,7 +2,7 @@
Name: HelixPlayer
Version: 1.0.7
Epoch: 1
-Release: 5%{?dist}
+Release: 6%{?dist}
Group: Applications/Multimedia
License: RPSL, GPL
URL: https://player.helixcommunity.org/
@@ -17,6 +17,7 @@
Patch2: hxplay-1.0.4-nptl.patch
Patch3: %{name}-1.0.5-missing-header.patch
Patch4: HelixPlayer-1.0.7-ogg.patch
+Patch5: HelixPlayer-1.0.7-CVE-2007-3410.patch
BuildRequires: libtheora-devel >= 1.0alpha3-3
BuildRequires: libvorbis-devel
@@ -56,6 +57,7 @@
%patch2 -p1 -b .nptl
%patch3 -p1 -b .missing-header
%patch4 -p0 -b .ogg
+%patch5 -p1 -b .CVE-2007-3410
%build
# Change hxplay_gtk_release to whatever string is in the Makefile
@@ -194,6 +196,9 @@
%changelog
+* Thu Jun 28 2007 Aurelien Bompard <abompard at fedoraproject.org> 1:1.0.7-6
+- fix bug 245838 (CVE-2007-3410)
+
* Fri Dec 08 2006 Aurelien Bompard <abompard at fedoraproject.org> 1:1.0.7-5
- add patch to make ogg/vorbis work (bug 218896)
More information about the scm-commits
mailing list