Branches for Feisty

Author: Kees Cook
Revision Date: 2007-03-09 10:11:22 UTC

* SECURITY UPDATE: DS decoder heap overflow.
* src/libw32dll/DirectShow/DS_VideoDecoder.c: ported mplayer fix.
* References
  http://svn.mplayerhq.hu/mplayer?view=rev&revision=22205

Author: Jamie Strandboge
Revision Date: 2008-07-30 16:01:44 UTC

* SECURITY UPDATE: array index vulnerability
* fix for src/libspeex/xine_decoder.c to properly validate its input
* SECURITY UPDATE: buffer overflow in the NSF demuxer
* fix for src/demuxers/demux_nsf.c to use strndup() instead of strdup()
* SECURITY UPDATE: integer overflows in FLV, Qt, Real, WC3Movie, Matroska
  and FILM demuxers
* fix demux_film.c, demux_flv.c, demux_qt.c, demux_real.c, demux_wc3movie.c
  and ebml.c to check for failure of various memory allocations
* SECURITY UPDATE: array index vulnerability
* fix src/input/libreal/sdpplin.c and src/input/libreal/sdpplin.h to verify
  size of stream_id and stream_count
* SECURITY UPDATE: buffer overflow in the RTSP header-handling code
* fix src/input/libreal/rmff.c and src/input/libreal/rmff.h to check buffer
  sizes in rmff_dump_*() functions (CVE-2008-0225 and CVE-2008-0238)
* SECURITY UPDATE: buffer overflow in FLAC processing
* fix for src/demuxers/demux_flac.c to check buffer lengths and leave room
  for NUL termination
* SECURITY UPDATE: fix buffer overflow in ASF demuxer as demonstrated by
  exploit code for CVE-2006-1664
* fix src/demuxers/demux_asf.c to check the size of asf_header_len
* SECURITY UPDATE: buffer over in Matroska demuxer
* fix src/demuxers/demux_matroska.c to use unsigned ints and check size of
  first_frame_size and frame_size, and return value of parse_ebml_sint() and
  parse_ebml_uint()
* References
  CVE-2008-1686
  CVE-2008-1878
  CVE-2008-1482
  CVE-2008-0073
  CVE-2008-0225
  CVE-2008-0238
  CVE-2008-0486
  CVE-2008-1110
  CVE-2008-1161

Author: Jamie Strandboge
Revision Date: 2008-07-30 16:01:44 UTC

* SECURITY UPDATE: array index vulnerability
* fix for src/libspeex/xine_decoder.c to properly validate its input
* SECURITY UPDATE: buffer overflow in the NSF demuxer
* fix for src/demuxers/demux_nsf.c to use strndup() instead of strdup()
* SECURITY UPDATE: integer overflows in FLV, Qt, Real, WC3Movie, Matroska
  and FILM demuxers
* fix demux_film.c, demux_flv.c, demux_qt.c, demux_real.c, demux_wc3movie.c
  and ebml.c to check for failure of various memory allocations
* SECURITY UPDATE: array index vulnerability
* fix src/input/libreal/sdpplin.c and src/input/libreal/sdpplin.h to verify
  size of stream_id and stream_count
* SECURITY UPDATE: buffer overflow in the RTSP header-handling code
* fix src/input/libreal/rmff.c and src/input/libreal/rmff.h to check buffer
  sizes in rmff_dump_*() functions (CVE-2008-0225 and CVE-2008-0238)
* SECURITY UPDATE: buffer overflow in FLAC processing
* fix for src/demuxers/demux_flac.c to check buffer lengths and leave room
  for NUL termination
* SECURITY UPDATE: fix buffer overflow in ASF demuxer as demonstrated by
  exploit code for CVE-2006-1664
* fix src/demuxers/demux_asf.c to check the size of asf_header_len
* SECURITY UPDATE: buffer over in Matroska demuxer
* fix src/demuxers/demux_matroska.c to use unsigned ints and check size of
  first_frame_size and frame_size, and return value of parse_ebml_sint() and
  parse_ebml_uint()
* References
  CVE-2008-1686
  CVE-2008-1878
  CVE-2008-1482
  CVE-2008-0073
  CVE-2008-0225
  CVE-2008-0238
  CVE-2008-0486
  CVE-2008-1110
  CVE-2008-1161