Pullup ticket 2287 - requested by drochner

security fixes for mplayer and mencoder

- pkgsrc/multimedia/gmplayer/Makefile			1.67
- pkgsrc/multimedia/mencoder/Makefile			1.37
- pkgsrc/multimedia/mplayer/Makefile			1.52
- pkgsrc/multimedia/mplayer-share/distinfo		1.47
- pkgsrc/multimedia/mplayer-share/patches/patch-ba	1.7
- pkgsrc/multimedia/mplayer-share/patches/patch-bb	1.7
- pkgsrc/multimedia/mplayer-share/patches/patch-bc	1.5
- pkgsrc/multimedia/mplayer-share/patches/patch-bd	1.5

   Module Name:    pkgsrc
   Committed By:   drochner
   Date:           Tue Feb  5 17:00:37 UTC 2008

   Modified Files:
           pkgsrc/multimedia/gmplayer: Makefile
           pkgsrc/multimedia/mencoder: Makefile
           pkgsrc/multimedia/mplayer: Makefile
           pkgsrc/multimedia/mplayer-share: distinfo
   Added Files:
           pkgsrc/multimedia/mplayer-share/patches: patch-ba patch-bb patch-bc
               patch-bd

   Log Message:
   add some patches from upstream which fix CVE-2008-0485, CVE-2008-0486
   and two unnamed buffer overflows, bump PKGREVISION of affected pkgs

8 files changed, 118 insertions, 6 deletions

diff --git a/multimedia/gmplayer/Makefile b/multimedia/gmplayer/Makefile
index 68619dd90c7..6efec5c0a0d 100644
--- a/multimedia/gmplayer/Makefile
+++ b/multimedia/gmplayer/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.66 2007/12/29 13:26:29 wiz Exp $
+# $NetBSD: Makefile,v 1.66.2.1 2008/02/11 12:04:15 ghen Exp $
 
 #
 # NOTE: if you are updating both mplayer and gmplayer, you must ensure
@@ -9,7 +9,7 @@
 #
 
 PKGNAME=	gmplayer-${MPLAYER_PKG_VERSION}
-PKGREVISION=	2
+PKGREVISION=	3
 
 BROKEN_IN=		pkgsrc-2006Q4
 
diff --git a/multimedia/mencoder/Makefile b/multimedia/mencoder/Makefile
index 3537ab6cede..3ba6159b8dd 100644
--- a/multimedia/mencoder/Makefile
+++ b/multimedia/mencoder/Makefile
@@ -1,7 +1,9 @@
-# $NetBSD: Makefile,v 1.36 2007/12/21 11:31:12 tron Exp $
+# $NetBSD: Makefile,v 1.36.2.1 2008/02/11 12:04:15 ghen Exp $
 
 PKGNAME=	mencoder-${MPLAYER_PKG_VERSION}
 
+PKGREVISION=	1
+
 COMMENT=	Simple movie encoder for MPlayer-playable movies
 
 PKG_DESTDIR_SUPPORT=	user-destdir
diff --git a/multimedia/mplayer-share/distinfo b/multimedia/mplayer-share/distinfo
index f483cd0edda..c92c060b784 100644
--- a/multimedia/mplayer-share/distinfo
+++ b/multimedia/mplayer-share/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.45 2007/12/21 16:07:48 tron Exp $
+$NetBSD: distinfo,v 1.45.2.1 2008/02/11 12:04:15 ghen Exp $
 
 SHA1 (mplayer-1.0rc10/MPlayer-1.0rc2.tar.bz2) = e9b496f3527c552004ec6d01d6b43f196b43ce2d
 RMD160 (mplayer-1.0rc10/MPlayer-1.0rc2.tar.bz2) = 3b5cba1529856a177a5191e22f8dcc00b5a83c52
@@ -12,3 +12,7 @@ SHA1 (patch-af) = e8b6f2b914f9b8e9f12d92cb49b91b4381a46ce5
 SHA1 (patch-ag) = b46d902d88e05d6f61a017e8a1be79fad5a1fa00
 SHA1 (patch-ah) = 7aeb9f04d622fcad8c40dc9edbb0a58277fc622b
 SHA1 (patch-tc) = 89f802ff0ebfc14d6f2a4b17177915f66c9f9038
+SHA1 (patch-ba) = 2683c414fed3a4a6d3b4d47287f43d822339bd4e
+SHA1 (patch-bb) = 26d000bcbc94b9139e6dbc79237fdb3a109c6057
+SHA1 (patch-bc) = fd46ce3cd6d5f7525e210cf6d475b89573ca988d
+SHA1 (patch-bd) = 9132118a143758b6c9e9dffb713f7dadd29ce3c3
diff --git a/multimedia/mplayer-share/patches/patch-ba b/multimedia/mplayer-share/patches/patch-ba
new file mode 100644
index 00000000000..ab42c8c442e
--- /dev/null
+++ b/multimedia/mplayer-share/patches/patch-ba
@@ -0,0 +1,13 @@
+$NetBSD: patch-ba,v 1.6.2.1 2008/02/11 12:04:15 ghen Exp $
+
+--- libmpdemux/demux_audio.c.orig	2007-10-07 21:49:33.000000000 +0200
++++ libmpdemux/demux_audio.c
+@@ -229,6 +229,8 @@ get_flac_metadata (demuxer_t* demuxer)
+           ptr += 4;
+ 
+           comment = ptr;
++          if (&comment[length] < comments || &comment[length] >= &comments[blk_len])
++            return;
+           c = comment[length];
+           comment[length] = 0;
+ 
diff --git a/multimedia/mplayer-share/patches/patch-bb b/multimedia/mplayer-share/patches/patch-bb
new file mode 100644
index 00000000000..853eb46946c
--- /dev/null
+++ b/multimedia/mplayer-share/patches/patch-bb
@@ -0,0 +1,47 @@
+$NetBSD: patch-bb,v 1.6.2.1 2008/02/11 12:04:15 ghen Exp $
+
+--- libmpdemux/demux_mov.c.orig	2007-10-07 21:49:33.000000000 +0200
++++ libmpdemux/demux_mov.c
+@@ -173,11 +173,12 @@ void mov_build_index(mov_track_t* trak,i
+     i=trak->chunkmap_size;
+     while(i>0){
+ 	--i;
+-	for(j=trak->chunkmap[i].first;j<last;j++){
++	j=FFMAX(trak->chunkmap[i].first, 0);
++	for(;j<last;j++){
+ 	    trak->chunks[j].desc=trak->chunkmap[i].sdid;
+ 	    trak->chunks[j].size=trak->chunkmap[i].spc;
+ 	}
+-	last=trak->chunkmap[i].first;
++	last=FFMIN(trak->chunkmap[i].first, trak->chunks_size);
+     }
+ 
+ #if 0
+@@ -235,6 +236,8 @@ void mov_build_index(mov_track_t* trak,i
+     s=0;
+     for(j=0;j<trak->durmap_size;j++){
+ 	for(i=0;i<trak->durmap[j].num;i++){
++	    if (s >= trak->samples_size)
++		break;
+ 	    trak->samples[s].pts=pts;
+ 	    ++s;
+ 	    pts+=trak->durmap[j].dur;
+@@ -246,6 +249,8 @@ void mov_build_index(mov_track_t* trak,i
+     for(j=0;j<trak->chunks_size;j++){
+ 	off_t pos=trak->chunks[j].pos;
+ 	for(i=0;i<trak->chunks[j].size;i++){
++	    if (s >= trak->samples_size)
++		break;
+ 	    trak->samples[s].pos=pos;
+ 	    mp_msg(MSGT_DEMUX, MSGL_DBG3, "Sample %5d: pts=%8d  off=0x%08X  size=%d\n",s,
+ 		trak->samples[s].pts,
+@@ -1568,8 +1573,7 @@ static void lschunks(demuxer_t* demuxer,
+ 			if( udta_len>udta_size)
+ 				udta_len=udta_size;
+ 			{
+-			char dump[udta_len-4];
+-			stream_read(demuxer->stream, (char *)&dump, udta_len-4-4);
++			stream_skip(demuxer->stream, udta_len-4-4);
+ 			udta_size -= udta_len;
+ 			}
+ 		    }
diff --git a/multimedia/mplayer-share/patches/patch-bc b/multimedia/mplayer-share/patches/patch-bc
new file mode 100644
index 00000000000..30a7bd13101
--- /dev/null
+++ b/multimedia/mplayer-share/patches/patch-bc
@@ -0,0 +1,12 @@
+$NetBSD: patch-bc,v 1.4.2.1 2008/02/11 12:04:15 ghen Exp $
+
+--- stream/url.c.orig	2007-10-07 21:49:26.000000000 +0200
++++ stream/url.c
+@@ -328,6 +328,7 @@ url_escape_string(char *outbuf, const ch
+ 		}
+ 	}
+ 	
++	tmp = NULL;
+ 	while(i < len) {
+ 		// look for the next char that must be kept
+ 		for  (j=i;j<len;j++) {
diff --git a/multimedia/mplayer-share/patches/patch-bd b/multimedia/mplayer-share/patches/patch-bd
new file mode 100644
index 00000000000..64e27509531
--- /dev/null
+++ b/multimedia/mplayer-share/patches/patch-bd
@@ -0,0 +1,34 @@
+$NetBSD: patch-bd,v 1.4.2.1 2008/02/11 12:04:15 ghen Exp $
+
+--- stream/stream_cddb.c.orig	2007-10-07 21:49:26.000000000 +0200
++++ stream/stream_cddb.c
+@@ -53,6 +53,7 @@
+ #include "version.h"
+ #include "stream.h"
+ #include "network.h"
++#include "libavutil/intreadwrite.h"
+ 
+ #define DEFAULT_FREEDB_SERVER	"freedb.freedb.org"
+ #define DEFAULT_CACHE_DIR	"/.cddb/"
+@@ -453,8 +454,9 @@ cddb_parse_matches_list(HTTP_header_t *h
+ 		} else {
+ 			len = ptr2-ptr+1;
+ 		}
++		len = FFMIN(sizeof(album_title) - 1, len);
+ 		strncpy(album_title, ptr, len);
+-		album_title[len-2]='\0';
++		album_title[len]='\0';
+ 	}
+ 	mp_msg(MSGT_DEMUX, MSGL_STATUS, MSGTR_MPDEMUX_CDDB_ParseOKFoundAlbumTitle, album_title);
+ 	return 0;
+@@ -490,8 +492,9 @@ cddb_query_parse(HTTP_header_t *http_hdr
+ 				} else {
+ 					len = ptr2-ptr+1;
+ 				}
++				len = FFMIN(sizeof(album_title) - 1, len);
+ 				strncpy(album_title, ptr, len);
+-				album_title[len-2]='\0';
++				album_title[len]='\0';
+ 			}
+ 			mp_msg(MSGT_DEMUX, MSGL_STATUS, MSGTR_MPDEMUX_CDDB_ParseOKFoundAlbumTitle, album_title);
+ 			return cddb_request_titles(cddb_data);
diff --git a/multimedia/mplayer/Makefile b/multimedia/mplayer/Makefile
index 7475e392619..98c7746f459 100644
--- a/multimedia/mplayer/Makefile
+++ b/multimedia/mplayer/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.50 2007/12/23 16:02:27 gdt Exp $
+# $NetBSD: Makefile,v 1.50.2.1 2008/02/11 12:04:15 ghen Exp $
 
 PKGNAME=	mplayer-${MPLAYER_PKG_VERSION}
-PKGREVISION=	1
+PKGREVISION=	2
 
 COMMENT=	Software-only MPEG-1/2/4 video decoder