[MPlayer-dev-eng] mplayer & DSA 1244-1

[Roberto Togni]

On Sat, 30 Dec 2006 12:16:03 +0100
A Mennucc <mennucc1 at debian.org> wrote:

> hi
> 
> did anybody look at the patch?
> 
> Ivan Kalvachev ha scritto:
> > Next time first read
> > http://www.mplayerhq.hu/DOCS/HTML/en/bugreports_security.html
> 
> :->
> 
> OK
> 
> a.
> 

About the patch:
The patch looks ok, even if i prefer the attached patch, because:
- it shows clearly that the maximum allowed number of matched rules is
a constant fixed at compilation time
- prints an error message instead of silently ignoring the extra matches
- minimizes the changes in the code, avoiding the introduction of an
extra parameter that will always have the same value


About the bug:
While the bug is clearly a buffer overflow, I think it will be quite
hard to exploit it, since you can't write arbitrary data into the
buffer (you can only write a sequence of increasing numbers, unless
you can feed so many rules to overflow rule_num; in that case you can
restart the count).


Based on what I said above, my plan for this bug is:
- commit the fix to svn
- release a patch against rc1 (with a newsentry on the homepage)
- do not make a rc1try2 rerelease, since rc2 is due soon.

If anybody disagree please replay asap, I plan to do this late tonight
or tomorrow (depending on when i'll be back tonight).

Ciao,
 Roberto
-------------- next part --------------
A non-text attachment was scrubbed...
Name: asmrpfix.diff
Type: text/x-patch
Size: 1333 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/mplayer-dev-eng/attachments/20061230/ba1153aa/attachment.bin>