Package: mpegdemux
Version: 0.1.2-5
Severity: important
Tags: patch
I was using mpegdemux to demux an mpeg stream I ripped from a dvd, when it
started to malloc about 4 GB of memory and trashing my system. A bit of
investigation exposed an integer overflow in mpeg_demux.c.
This patch should fix it:
[...@eleanor]/tmp/mpegdemux-0.1.2/src> diff -Naur mpeg_demux.c.orig mpeg_demux.c
diff -Naur mpeg_demux.c.orig mpeg_demux.c
--- mpeg_demux.c.orig 2008-12-27 23:53:03.340719670 +0100
+++ mpeg_demux.c 2008-12-27 23:54:17.506861997 +0100
@@ -186,6 +186,13 @@
mpegd_skip (mpeg, cnt);
}
+ if ( cnt > mpeg->packet.size )
+ {
+ fprintf( stderr, "Whoopsie, count is less than packet size\n" );
+ fprintf( stderr, "broken MPEG stream bailing out\n" );
+ exit(1);
+ }
+
cnt = mpeg->packet.size - cnt;
if ((sid == 0xbd) && par_dvdsub) {
-- System Information:
Debian Release: 5.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.27.8 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages mpegdemux depends on:
ii libc6 2.7-16 GNU C Library: Shared libraries
mpegdemux recommends no packages.
mpegdemux suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
