diff options
author | snj <snj@pkgsrc.org> | 2005-02-28 21:11:50 +0000 |
---|---|---|
committer | snj <snj@pkgsrc.org> | 2005-02-28 21:11:50 +0000 |
commit | f9f6bd912254039417db58e4c15b616eb52127c0 (patch) | |
tree | a481abfe0e11fd507800161c84445f277167c5a3 | |
parent | 243a7db059f5f0a81955b3116c57aff313473a91 (diff) | |
download | pkgsrc-f9f6bd912254039417db58e4c15b616eb52127c0.tar.gz |
Pullup ticket 317 - requested by Lubomir Sedlacik
security fix for xine-lib
Apply a manual patch that fixes the vulnerabilities noted in
http://www.xinehq.de/index.php/security/XSA-2004-6
-rw-r--r-- | multimedia/xine-lib/Makefile | 4 | ||||
-rw-r--r-- | multimedia/xine-lib/distinfo | 4 | ||||
-rw-r--r-- | multimedia/xine-lib/patches/patch-bc | 102 | ||||
-rw-r--r-- | multimedia/xine-lib/patches/patch-bd | 27 |
4 files changed, 134 insertions, 3 deletions
diff --git a/multimedia/xine-lib/Makefile b/multimedia/xine-lib/Makefile index 6231e97a36f..8866a798c7a 100644 --- a/multimedia/xine-lib/Makefile +++ b/multimedia/xine-lib/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.14.2.1 2005/01/07 01:22:20 salo Exp $ +# $NetBSD: Makefile,v 1.14.2.2 2005/02/28 21:11:50 snj Exp $ # .include "Makefile.common" -PKGREVISION= 2 +PKGREVISION= 3 .if ${MACHINE_ARCH} == "i386" DEPENDS+= win32-codecs>=011227:../../multimedia/win32-codecs diff --git a/multimedia/xine-lib/distinfo b/multimedia/xine-lib/distinfo index 968d2f2cd84..159f5504cdc 100644 --- a/multimedia/xine-lib/distinfo +++ b/multimedia/xine-lib/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.9.2.1 2005/01/07 01:22:20 salo Exp $ +$NetBSD: distinfo,v 1.9.2.2 2005/02/28 21:11:50 snj Exp $ SHA1 (xine-lib-1-rc6a.tar.gz) = 9359543ae3cc34f25af08ef42cbd13f08cae8398 Size (xine-lib-1-rc6a.tar.gz) = 7003035 bytes @@ -22,3 +22,5 @@ SHA1 (patch-au) = 569ac1d00402eb3679bf99f0afe5832f425b3b0e SHA1 (patch-av) = 56f462e6091a72e87544ece689557d60fbb749aa SHA1 (patch-ba) = a527975fe9675358090bddc1361b707aa122f89b SHA1 (patch-bb) = fcfdf5dae066837cb35e51a5d114c366a5b3a7b2 +SHA1 (patch-bc) = c07129e89ed5b958c9361b864e227cc7569e4a33 +SHA1 (patch-bd) = 2af09a00178b2cc499f98a454667e9dbfcc8e072 diff --git a/multimedia/xine-lib/patches/patch-bc b/multimedia/xine-lib/patches/patch-bc new file mode 100644 index 00000000000..60aec3115d2 --- /dev/null +++ b/multimedia/xine-lib/patches/patch-bc @@ -0,0 +1,102 @@ +$NetBSD: patch-bc,v 1.2.2.2 2005/02/28 21:11:50 snj Exp $ + +--- src/input/pnm.c 2003/12/12 22:53:15 1.20 ++++ src/input/pnm.c 2004/12/15 12:53:36 1.21 +@@ -205,16 +205,21 @@ + char *data, int *need_response) { + + unsigned int chunk_size; +- int n; ++ unsigned int n; + char *ptr; +- ++ ++ if( max < PREAMBLE_SIZE ) ++ return -1; ++ + /* get first PREAMBLE_SIZE bytes and ignore checksum */ + _x_io_tcp_read (p->stream, p->s, data, CHECKSUM_SIZE); + if (data[0] == 0x72) + _x_io_tcp_read (p->stream, p->s, data, PREAMBLE_SIZE); + else + _x_io_tcp_read (p->stream, p->s, data+CHECKSUM_SIZE, PREAMBLE_SIZE-CHECKSUM_SIZE); +- ++ ++ max -= PREAMBLE_SIZE; ++ + *chunk_type = be2me_32(*((uint32_t *)data)); + chunk_size = be2me_32(*((uint32_t *)(data+4))); + +@@ -222,7 +227,11 @@ + case PNA_TAG: + *need_response=0; + ptr=data+PREAMBLE_SIZE; ++ ++ if( max < 1 ) ++ return -1; + _x_io_tcp_read (p->stream, p->s, ptr++, 1); ++ max -= 1; + + while(1) { + /* The pna chunk is devided into subchunks. +@@ -235,17 +244,29 @@ + * if first byte is 'F', we got an error + */ + ++ if( max < 2 ) ++ return -1; + _x_io_tcp_read (p->stream, p->s, ptr, 2); ++ max -= 2; ++ + if (*ptr == 'X') /* checking for server message */ + { + xprintf(p->stream->xine, XINE_VERBOSITY_DEBUG, "input_pnm: got a message from server:\n"); ++ if( max < 1 ) ++ return -1; + _x_io_tcp_read (p->stream, p->s, ptr+2, 1); ++ max -= 1; + + /* two bytes of message length*/ + n=be2me_16(*(uint16_t*)(ptr+1)); + + /* message itself */ ++ if( max < n ) ++ return -1; + _x_io_tcp_read (p->stream, p->s, ptr+3, n); ++ max -= n; ++ if( max < 1 ) ++ return -1; + ptr[3+n]=0; + xprintf(p->stream->xine, XINE_VERBOSITY_DEBUG, "%s\n", ptr+3); + return -1; +@@ -265,10 +286,15 @@ + } + if (*ptr != 0x4f) break; + n=ptr[1]; +- _x_io_tcp_read (p->stream, p->s, ptr+2, n); ++ if( max < n ) ++ return -1; ++ _x_io_tcp_read (p->stream, p->s, ptr+2, n); + ptr+=(n+2); ++ max-=n; + } + /* the checksum of the next chunk is ignored here */ ++ if( max < 1 ) ++ return -1; + _x_io_tcp_read (p->stream, p->s, ptr+2, 1); + ptr+=3; + chunk_size=ptr-data; +@@ -278,11 +304,11 @@ + case PROP_TAG: + case MDPR_TAG: + case CONT_TAG: +- if (chunk_size > max) { ++ if (chunk_size > max || chunk_size < PREAMBLE_SIZE) { + xprintf(p->stream->xine, XINE_VERBOSITY_DEBUG, "error: max chunk size exeeded (max was 0x%04x)\n", max); ++#ifdef LOG + /* reading some bytes for debugging */ + n=_x_io_tcp_read (p->stream, p->s, &data[PREAMBLE_SIZE], 0x100 - PREAMBLE_SIZE); +-#ifdef LOG + xine_hexdump(data,n+PREAMBLE_SIZE); + #endif + return -1; diff --git a/multimedia/xine-lib/patches/patch-bd b/multimedia/xine-lib/patches/patch-bd new file mode 100644 index 00000000000..cd2dc72b64c --- /dev/null +++ b/multimedia/xine-lib/patches/patch-bd @@ -0,0 +1,27 @@ +$NetBSD: patch-bd,v 1.1.2.2 2005/02/28 21:11:50 snj Exp $ + +--- src/input/libreal/real.c 2004/09/08 15:09:30 1.19 ++++ src/input/libreal/real.c 2004/12/15 12:53:46 1.20 +@@ -604,6 +604,8 @@ + return (n <= 0) ? 0 : n+12; + } + ++//! maximum size of the rtsp description, must be < INT_MAX ++#define MAX_DESC_BUF (20 * 1024 * 1024) + rmff_header_t *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t bandwidth) { + + char *description=NULL; +@@ -652,6 +654,13 @@ + else + size=atoi(rtsp_search_answers(rtsp_session,"Content-length")); + ++ if (size > MAX_DESC_BUF) { ++ printf("real: Content-length for description too big (> %uMB)!\n", ++ MAX_DESC_BUF/(1024*1024) ); ++ xine_buffer_free(buf); ++ return NULL; ++ } ++ + if (!rtsp_search_answers(rtsp_session,"ETag")) + lprintf("real: got no ETag!\n"); + else |