Fix security problem:

* Fix possible buffer overflows when parsing Audible .aa files.

Bump PKGREVISION.

3 files changed, 93 insertions, 2 deletions

diff --git a/audio/amarok/Makefile b/audio/amarok/Makefile
index 214b24b7b85..54b6eb07c5b 100644
--- a/audio/amarok/Makefile
+++ b/audio/amarok/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.68 2009/01/08 11:43:36 shattered Exp $
+# $NetBSD: Makefile,v 1.69 2009/01/12 12:33:39 wiz Exp $
 
 DISTNAME=		amarok-${VERSION}
 VERSION=		1.4.10
+PKGREVISION=		1
 CATEGORIES=		audio kde
 MASTER_SITES=		${MASTER_SITE_KDE:=amarok/${VERSION}/src/}
 EXTRACT_SUFX=		.tar.bz2
diff --git a/audio/amarok/distinfo b/audio/amarok/distinfo
index 4ab46b95654..9e64eea0bfa 100644
--- a/audio/amarok/distinfo
+++ b/audio/amarok/distinfo
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.35 2008/09/22 05:35:20 wiz Exp $
+$NetBSD: distinfo,v 1.36 2009/01/12 12:33:39 wiz Exp $
 
 SHA1 (amarok-1.4.10.tar.bz2) = cb0bebe99c6f4dc1b01601f2f3aee3a86da08fbd
 RMD160 (amarok-1.4.10.tar.bz2) = f86c71dd0459e0cf1ff586cd6de240ca6501cf62
 Size (amarok-1.4.10.tar.bz2) = 12812583 bytes
 SHA1 (patch-aa) = 53316f334f45a8a4780ae71061d528374a75cb5a
 SHA1 (patch-ab) = 91097c1d901fb66c5c8e593005c462b1874f50bf
+SHA1 (patch-ad) = eea8105897ce4cd9d4a086430ec0588125b3517b
diff --git a/audio/amarok/patches/patch-ad b/audio/amarok/patches/patch-ad
new file mode 100644
index 00000000000..ace497e89dd
--- /dev/null
+++ b/audio/amarok/patches/patch-ad
@@ -0,0 +1,89 @@
+$NetBSD: patch-ad,v 1.1 2009/01/12 12:33:40 wiz Exp $
+
+Security fix, SVN r908415 from upstream 1.4.x branch.
+
+--- amarok/src/metadata/audible/audibletag.cpp.orig	2008-08-13 23:21:51.000000000 +0200
++++ amarok/src/metadata/audible/audibletag.cpp
+@@ -71,7 +71,8 @@ void Audible::Tag::readTags( FILE *fp )
+ {
+     char buf[1023];
+     fseek(fp, OFF_PRODUCT_ID, SEEK_SET);
+-    fread(buf, strlen("product_id"), 1, fp);
++    if (fread(buf, strlen("product_id"), 1, fp) != 1)
++        return;
+     if(memcmp(buf, "product_id", strlen("product_id")))
+     {
+         buf[20]='\0';
+@@ -130,24 +131,65 @@ void Audible::Tag::readTags( FILE *fp )
+ 
+ bool Audible::Tag::readTag( FILE *fp, char **name, char **value)
+ {
++    // arbitrary value that has to be smaller than 2^32-1 and that should be large enough for all tags                                                                                         
++    const uint32_t maxtaglen = 100000;    
++
+     uint32_t nlen;
+-    fread(&nlen, sizeof(nlen), 1, fp);
++    if (fread(&nlen, sizeof(nlen), 1, fp) != 1)
++        return false;
+     nlen = ntohl(nlen);
+     //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen);
+-    *name = new char[nlen+1];
+-    (*name)[nlen] = '\0';
++    if (nlen > maxtaglen)
++        return false;
+ 
+     uint32_t vlen;
+-    fread(&vlen, sizeof(vlen), 1, fp);
++    if (fread(&vlen, sizeof(vlen), 1, fp) != 1)
++        return false;
+     vlen = ntohl(vlen);
+     //fprintf(stderr, "tag len=%x\n", (unsigned)vlen);
++    if (vlen > maxtaglen)
++        return false;
++
++    *name = new char[nlen+1];
++    if (!*name)
++        return false;
++        
+     *value = new char[vlen+1];
++    if (!*value)
++    {
++        delete[] *name;
++        *name = 0;
++        return false;
++    }
++
++    (*name)[nlen] = '\0';
+     (*value)[vlen] = '\0';
+ 
+-    fread(*name, nlen, 1, fp);
+-    fread(*value, vlen, 1, fp);
++    if (fread(*name, nlen, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
++    if (fread(*value, vlen, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
+     char lasttag;
+-    fread(&lasttag, 1, 1, fp);
++    if (fread(&lasttag, 1, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
+     //fprintf(stderr, "%s: \"%s\"\n", *name, *value);
+ 
+     m_tagsEndOffset += 2 * 4 + nlen + vlen + 1;