Fix a buffer overflow by a malicous playlist (CAN-2004-1284).

Being here, fix a possible problem which was mentioned in conjunction
with CAN-2003-0577 - zero bitrate makes mpg123 assume a negative
frame size.
bump PKGREVISION

2 files changed, 30 insertions, 0 deletions

diff --git a/audio/mpg123/patches/patch-as b/audio/mpg123/patches/patch-as
new file mode 100644
index 00000000000..458c6881cfd
--- /dev/null
+++ b/audio/mpg123/patches/patch-as
@@ -0,0 +1,13 @@
+$NetBSD: patch-as,v 1.1 2005/01/07 14:52:13 drochner Exp $
+
+--- common.c.orig	1999-06-15 23:24:19.000000000 +0200
++++ common.c
+@@ -123,7 +123,7 @@ int head_check(unsigned long head)
+ 	return FALSE;
+     if(!((head>>17)&3))
+ 	return FALSE;
+-    if( ((head>>12)&0xf) == 0xf)
++    if( ((head>>12)&0xf) == 0xf || ((head>>12)&0xf) == 0) 
+ 	return FALSE;
+     if( ((head>>10)&0x3) == 0x3 )
+ 	return FALSE;
diff --git a/audio/mpg123/patches/patch-at b/audio/mpg123/patches/patch-at
new file mode 100644
index 00000000000..235fbb0e18d
--- /dev/null
+++ b/audio/mpg123/patches/patch-at
@@ -0,0 +1,17 @@
+$NetBSD: patch-at,v 1.1 2005/01/07 14:52:13 drochner Exp $
+
+--- mpg123.c.orig	2005-01-07 15:18:27.000000000 +0100
++++ mpg123.c
+@@ -309,9 +309,9 @@ char *find_next_file (int argc, char *ar
+                 if (line[0]=='\0' || line[0]=='#')
+                     continue;
+ 		if ((listnamedir) && (line[0]!='/') && (line[0]!='\\')){
+-                    strcpy (linetmp, listnamedir);
+-                    strcat (linetmp, line);
+-		    strcpy (line, linetmp);
++                    strncpy (linetmp, listnamedir, 1023);
++                    strncat (linetmp, line, 1023 - strlen(linetmp));
++		    strncpy (line, linetmp, 1023);
+                 }
+                 return (line);
+             }