Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 158016 Details for
Bug 245836
CVE-2007-3410 RealPlayer/HelixPlayer buffer overflow
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Patch created by Chris Aillon
HelixPlayer-1.0.6-wallclock.patch (text/plain), 3.69 KB, created by
Josh Bressers
on 2007-06-27 14:21:31 UTC
(
hide
)
Description:
Patch created by Chris Aillon
Filename:
MIME Type:
Creator:
Josh Bressers
Created:
2007-06-27 14:21:31 UTC
Size:
3.69 KB
patch
obsolete
>--- hxplay-1.0.6/datatype/smil/renderer/smil2/smlprstime.cpp.wallclock 2007-06-26 17:07:42.000000000 -0400 >+++ hxplay-1.0.6/datatype/smil/renderer/smil2/smlprstime.cpp 2007-06-26 18:39:17.000000000 -0400 >@@ -938,7 +938,8 @@ SmilTimeValue::parseWallClockValue(REF(c > INT32 sec = 0; > INT32 ms = 0; > >- char buf[10]; /* Flawfinder: ignore */ >+ /* 11 + NULL terminator */ >+ char buf[12] = ""; /* Flawfinder: ignore */ > > // store offset in min. > INT32 UTCOffset = 0; >@@ -966,8 +967,9 @@ SmilTimeValue::parseWallClockValue(REF(c > ++pCh; > } > >- if (FAILED(ret)) >+ if (FAILED(ret) || !end) > { >+ ret = HXR_FAIL; > CSmilSMILSyntaxErrorHandler errHandler(m_pContext); > errHandler.ReportError(SMILErrorBadWallClockValue, begin, > m_ulStartLine); >@@ -978,7 +980,7 @@ SmilTimeValue::parseWallClockValue(REF(c > if (pT) > { > //YYYY-MM-DDT >- if (*(begin+4) == '-' && *(begin+7) == '-' && pT == (begin+10)) >+ if (strlen(begin) >= 10 && *(begin+4) == '-' && *(begin+7) == '-' && pT == (begin+10)) > { > pDatePos = begin; > if (pTimeZone < begin+10) >@@ -995,7 +997,7 @@ SmilTimeValue::parseWallClockValue(REF(c > goto cleanup; > } > >- if (*(pT+3) == ':') >+ if (strlen(pT) >= 5 && *(pT+3) == ':') > { > pTimePos = pT+1; > } >@@ -1010,7 +1012,7 @@ SmilTimeValue::parseWallClockValue(REF(c > } > // else just the date or time. > //YYYY-MM-DDT >- else if (*(begin+4) == '-' && *(begin+7) == '-' && pT == (begin+10)) >+ else if (strlen(begin) >= 10 && *(begin+4) == '-' && *(begin+7) == '-' && pT == (begin+10)) > { > // just date > // there is a date. >@@ -1020,7 +1022,7 @@ SmilTimeValue::parseWallClockValue(REF(c > pTimeZone = NULL; > } > } >- else if (*(begin+2) == ':') >+ else if (strlen(begin) >= 5 && *(begin+2) == ':') > { > pTimePos = begin; > } >@@ -1114,7 +1116,7 @@ SmilTimeValue::parseWallClockValue(REF(c > goto cleanup; > } > >- if (*(pos-1) == ':') >+ if (strlen(pTimePos) >= 8 && *(pos-1) == ':') > { > strncpy(buf, pos, 2); /* Flawfinder: ignore */ > buf[2] = '\0'; >@@ -1129,21 +1131,47 @@ SmilTimeValue::parseWallClockValue(REF(c > goto cleanup; > } > >- if (*(pos-1) == '.') >+ if (strlen(pTimePos) >= 10 && *(pos-1) == '.') > { > // find end. > UINT32 len = 0; > if (pTimeZone) > { >+ if (pTimeZone <= pos) >+ { >+ ret = HXR_FAIL; >+ CSmilSMILSyntaxErrorHandler errHandler(m_pContext); >+ errHandler.ReportError(SMILErrorBadWallClockValue, pTimePos, >+ m_ulStartLine); >+ goto cleanup; >+ } > len = pTimeZone - pos; > } > else > { >+ if (end <= pos) >+ { >+ ret = HXR_FAIL; >+ CSmilSMILSyntaxErrorHandler errHandler(m_pContext); >+ errHandler.ReportError(SMILErrorBadWallClockValue, pTimePos, >+ m_ulStartLine); >+ goto cleanup; >+ } > len = end - pos; > } >+ >+ /* >+ * Need to clamp here. The time can be of unlimited size per SMIL2 spec. >+ * See http://www.w3.org/TR/SMIL2/smil-timing.html#Timing-WallclockSyncValueSyntax >+ * See http://www.w3.org/TR/SMIL2/smil-timing.html#Timing-ClockValueSyntax >+ */ >+ if (len > sizeof(buf) - 1) >+ { >+ len = sizeof(buf) - 1; >+ } >+ > strncpy(buf, pos, len); /* Flawfinder: ignore */ >- buf[len] = '\0'; >- pos += len; >+ buf[len] = '\0'; > if (*buf) > { > if (isdigit(*buf)) >@@ -1182,7 +1210,7 @@ SmilTimeValue::parseWallClockValue(REF(c > UTCOffset = 0; > bSyntaxOK = TRUE; > } >- else if ((*pTimeZone == '+' || *pTimeZone == '-') && *(pTimeZone+3) == ':') >+ else if (strlen(pTimeZone) >= 6 && (*pTimeZone == '+' || *pTimeZone == '-') && *(pTimeZone+3) == ':') > { > m_bRelativeToUTC = TRUE; > int sign = 1;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=158016">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 245836
: 158016