Pullup ticket #2515 - requested by tonnerre

ffmpeg: security patch

Revisions pulled up:
- multimedia/ffmpeg/Makefile		1.36
- multimedia/ffmpeg/distinfo		1.15
- multimedia/ffmpeg/patches/patch-al	1.1
---
Module Name:	pkgsrc
Committed By:	tonnerre
Date:		Mon Sep  1 00:00:10 UTC 2008

Modified Files:
	pkgsrc/multimedia/ffmpeg: Makefile distinfo
Added Files:
	pkgsrc/multimedia/ffmpeg/patches: patch-al

Log Message:
Add patch to fix ffmpeg remote system access vulnerability
(CVE-2008-3162).

3 files changed, 56 insertions, 3 deletions

diff --git a/multimedia/ffmpeg/Makefile b/multimedia/ffmpeg/Makefile
index 01eb448b37f..9f15b2d150a 100644
--- a/multimedia/ffmpeg/Makefile
+++ b/multimedia/ffmpeg/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.35 2008/01/22 22:51:45 jdc Exp $
+# $NetBSD: Makefile,v 1.35.6.1 2008/09/04 21:01:44 tron Exp $
 
 DISTNAME=	ffmpeg-0.4.9-pre1
 PKGNAME=	ffmpeg-0.4.9pre1
-PKGREVISION=	3
+PKGREVISION=	4
 CATEGORIES=	multimedia
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=ffmpeg/}
 
diff --git a/multimedia/ffmpeg/distinfo b/multimedia/ffmpeg/distinfo
index b5b07317ed5..27b2bf70ead 100644
--- a/multimedia/ffmpeg/distinfo
+++ b/multimedia/ffmpeg/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.14 2007/12/22 00:05:25 joerg Exp $
+$NetBSD: distinfo,v 1.14.8.1 2008/09/04 21:01:44 tron Exp $
 
 SHA1 (ffmpeg-0.4.9-pre1.tar.gz) = aad00445137520bec19e56bcb042e75a10c53bb3
 RMD160 (ffmpeg-0.4.9-pre1.tar.gz) = fd682846f97ada32951af7844e185c42783189a4
@@ -14,5 +14,6 @@ SHA1 (patch-ah) = 3b600dd8d5bc0d4363139cea0ba8338691d8fa75
 SHA1 (patch-ai) = fe1bbecd05f2eef812650efa83223a3b6417ed6a
 SHA1 (patch-aj) = b998fdc2b3cc5f6efd2fb4f12fbb630d5832004b
 SHA1 (patch-ak) = 564d7d55372281909f70c63c6a72eb7d97afd99d
+SHA1 (patch-al) = d418bf4af796f1e3b829ceab19ddde94a0ca8ec4
 SHA1 (patch-an) = 3e2327f2a30571daf82edd67128c63845819224e
 SHA1 (patch-ao) = f1e8f504a951ab02d70aae083862414b32d8b55a
diff --git a/multimedia/ffmpeg/patches/patch-al b/multimedia/ffmpeg/patches/patch-al
new file mode 100644
index 00000000000..595437a3b0e
--- /dev/null
+++ b/multimedia/ffmpeg/patches/patch-al
@@ -0,0 +1,52 @@
+$NetBSD: patch-al,v 1.1.2.2 2008/09/04 21:01:44 tron Exp $
+
+--- libavformat/psxstr.c.orig	2004-06-19 05:59:34.000000000 +0200
++++ libavformat/psxstr.c
+@@ -273,12 +273,21 @@ static int str_read_packet(AVFormatConte
+                 int current_sector = LE_16(&sector[0x1C]);
+                 int sector_count   = LE_16(&sector[0x1E]);
+                 int frame_size = LE_32(&sector[0x24]);
+-                int bytes_to_copy;
++                
++		if(!(   frame_size>=0
++		     && current_sector < sector_count
++		     && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){
++		    av_log(s, AV_LOG_ERROR, "Invalid parameters %d %d %d\n", current_sector, sector_count, frame_size);
++		    return AVERROR_INVALIDDATA;
++		}
+ //        printf("%d %d %d\n",current_sector,sector_count,frame_size);
+                 /* if this is the first sector of the frame, allocate a pkt */
+                 pkt = &str->tmp_pkt;
+-                if (current_sector == 0) {
+-                    if (av_new_packet(pkt, frame_size))
++                if (pkt->size != sector_count*VIDEO_DATA_CHUNK_SIZE){
++		    if(pkt->data)
++			av_log(s, AV_LOG_ERROR, "missmatching sector_count\n");
++		    av_free_packet(pkt);
++                    if (av_new_packet(pkt, sector_count*VIDEO_DATA_CHUNK_SIZE))
+                         return AVERROR_IO;
+ 
+                     pkt->stream_index = 
+@@ -291,15 +300,15 @@ static int str_read_packet(AVFormatConte
+                        str->pts += (90000 / 15);
+                 }
+ 
+-                /* load all the constituent chunks in the video packet */
+-                bytes_to_copy = frame_size - current_sector*VIDEO_DATA_CHUNK_SIZE;
+-                if (bytes_to_copy>0) {
+-                    if (bytes_to_copy>VIDEO_DATA_CHUNK_SIZE) bytes_to_copy=VIDEO_DATA_CHUNK_SIZE;
+-                    memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE,
+-                        sector + VIDEO_DATA_HEADER_SIZE, bytes_to_copy);
+-                }
++                memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE,
++                        sector + VIDEO_DATA_HEADER_SIZE,
++			VIDEO_DATA_CHUNK_SIZE);
++
+                 if (current_sector == sector_count-1) {
++		    pkt->size= frame_size;
+                     *ret_pkt = *pkt;
++		    pkt->data= NULL;
++		    pkt->size= -1;
+                     return 0;
+                 }
+