Add patch from the MPlayer SVN repository to fix an overflow in the

CDDB code reported in CVE-2007-2948. Bump package revision.

4 files changed, 37 insertions, 5 deletions

diff --git a/multimedia/gmplayer/Makefile b/multimedia/gmplayer/Makefile
index f9d881e5d72..f0c0436f3a2 100644
--- a/multimedia/gmplayer/Makefile
+++ b/multimedia/gmplayer/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.59 2007/01/31 00:04:12 wiz Exp $
+# $NetBSD: Makefile,v 1.60 2007/06/07 13:19:54 tron Exp $
 
 #
 # NOTE: if you are updating both mplayer and gmplayer, you must ensure
@@ -9,7 +9,7 @@
 #
 
 PKGNAME=	gmplayer-${MPLAYER_PKG_VERSION}
-PKGREVISION=	1
+PKGREVISION=	2
 
 BROKEN_IN=		pkgsrc-2006Q4
 
diff --git a/multimedia/gmplayer/distinfo b/multimedia/gmplayer/distinfo
index 6d43d2a524d..956c710771a 100644
--- a/multimedia/gmplayer/distinfo
+++ b/multimedia/gmplayer/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.46 2007/03/23 07:40:12 wiz Exp $
+$NetBSD: distinfo,v 1.47 2007/06/07 13:19:54 tron Exp $
 
 SHA1 (gmplayer-1.0rc9-20060123/AlienMind-1.2.tar.bz2) = 34370da1e003e4accceae194a63483aa6eebc4dc
 RMD160 (gmplayer-1.0rc9-20060123/AlienMind-1.2.tar.bz2) = f3fda7d44a59f98097162f76d0a0d58840974998
@@ -67,6 +67,7 @@ SHA1 (patch-aa) = ec50dd83f781fbac260ff469846c8c91b6471642
 SHA1 (patch-ab) = 29bf59ecb3d283708ae1c5002d1fa71cac627cc9
 SHA1 (patch-ac) = 6d0de4bd41d9842ea1bf46e9fbe60bf6a943b913
 SHA1 (patch-ad) = d0b72eaa5e63d2cfd7828ea1a9973f1728c607b5
+SHA1 (patch-ae) = b725fce8f4dfb7b06f6de388265ce317f22824e9
 SHA1 (patch-ah) = 7aeb9f04d622fcad8c40dc9edbb0a58277fc622b
 SHA1 (patch-ai) = bcf45db81587d99fc69ae5fcf89ff4a4b8f6f53c
 SHA1 (patch-aj) = 40ba1625f85f0264628013ad0209aa095e8e5d3f
diff --git a/multimedia/mplayer-share/patches/patch-ae b/multimedia/mplayer-share/patches/patch-ae
new file mode 100644
index 00000000000..0416ef39e00
--- /dev/null
+++ b/multimedia/mplayer-share/patches/patch-ae
@@ -0,0 +1,31 @@
+$NetBSD: patch-ae,v 1.7 2007/06/07 13:19:54 tron Exp $
+
+--- stream/stream_cddb.c.orig	2006-10-22 23:32:25.000000000 +0100
++++ stream/stream_cddb.c	2007-06-07 13:57:35.000000000 +0100
+@@ -435,7 +435,7 @@
+ 
+ 	switch(status) {
+ 		case 210:
+-			ret = sscanf( http_hdr->body, "%d %s %08lx", &status, category, &disc_id);
++			ret = sscanf( http_hdr->body, "%d %99s %08lx", &status, category, &disc_id);
+ 			if( ret!=3 ) {
+ 				mp_msg(MSGT_DEMUX, MSGL_ERR, MSGTR_ParseError);
+ 				return -1;
+@@ -496,7 +496,7 @@
+ 	ptr++;
+ 	// We have a list of exact/inexact matches, so which one do we use?
+ 	// So let's take the first one.
+-	ret = sscanf(ptr, "%s %08lx %s", cddb_data->category, &(cddb_data->disc_id), album_title);
++	ret = sscanf(ptr, "%99s %08lx %99s", cddb_data->category, &(cddb_data->disc_id), album_title);
+ 	if( ret!=3 ) {
+ 		mp_msg(MSGT_DEMUX, MSGL_ERR, MSGTR_ParseError);
+ 		return -1;
+@@ -533,7 +533,7 @@
+ 	switch(status) {
+ 		case 200:
+ 			// Found exact match
+-			ret = sscanf(http_hdr->body, "%d %s %08lx %s", &status, cddb_data->category, &(cddb_data->disc_id), album_title);
++			ret = sscanf(http_hdr->body, "%d %99s %08lx %99s", &status, cddb_data->category, &(cddb_data->disc_id), album_title);
+ 			if( ret!=4 ) {
+ 				mp_msg(MSGT_DEMUX, MSGL_ERR, MSGTR_ParseError);
+ 				return -1;
diff --git a/multimedia/mplayer/Makefile b/multimedia/mplayer/Makefile
index 1637eef62a9..6b63e178de5 100644
--- a/multimedia/mplayer/Makefile
+++ b/multimedia/mplayer/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.41 2007/03/09 15:14:16 drochner Exp $
+# $NetBSD: Makefile,v 1.42 2007/06/07 13:19:54 tron Exp $
 
 PKGNAME=	mplayer-${MPLAYER_PKG_VERSION}
-PKGREVISION=	5
+PKGREVISION=	6
 
 COMMENT=	Software-only MPEG-1/2/4 video decoder