pullup ticket #2632 - requested by wiz

amarok: fix possible buffer overflows revisions pulled up: pkgsrc/audio/amarok/Makefile 1.69 pkgsrc/audio/amarok/distinfo 1.36 pkgsrc/audio/amarok/patches/patch-ad 1.1 Module Name: pkgsrc Committed By: wiz Date: Mon Jan 12 12:33:40 UTC 2009 Modified Files: pkgsrc/audio/amarok: Makefile distinfo Added Files: pkgsrc/audio/amarok/patches: patch-ad Log Message: Fix security problem: * Fix possible buffer overflows when parsing Audible .aa files. Bump PKGREVISION.
author: rtr <rtr> 2009-01-14 06:46:53 +0000
committer: rtr <rtr> 2009-01-14 06:46:53 +0000
commit: e818019504a3eb2fb6364f40de19bdc68b54a0a3 (patch)
tree: 4c1cfbffe323d834c50ff3abd3e3f7feb5624a4e /audio
parent: 4de80b693235698d4dfeb417f284800f701bade6 (diff)
download: pkgsrc-e818019504a3eb2fb6364f40de19bdc68b54a0a3.tar.gz
3 files changed, 93 insertions, 2 deletions
diff --git a/audio/amarok/Makefile b/audio/amarok/Makefile
index a90f6ef5a72..9fbd20c911c 100644
--- a/audio/amarok/Makefile
+++ b/audio/amarok/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.67 2008/08/15 12:52:57 wiz Exp $
+# $NetBSD: Makefile,v 1.67.6.1 2009/01/14 06:46:53 rtr Exp $
 
 DISTNAME=		amarok-${VERSION}
 VERSION=		1.4.10
+PKGREVISION=		1
 CATEGORIES=		audio kde
 MASTER_SITES=		${MASTER_SITE_KDE:=amarok/${VERSION}/src/}
 EXTRACT_SUFX=		.tar.bz2
diff --git a/audio/amarok/distinfo b/audio/amarok/distinfo
index 4ab46b95654..28b3204be26 100644
--- a/audio/amarok/distinfo
+++ b/audio/amarok/distinfo
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.35 2008/09/22 05:35:20 wiz Exp $
+$NetBSD: distinfo,v 1.35.4.1 2009/01/14 06:46:53 rtr Exp $
 
 SHA1 (amarok-1.4.10.tar.bz2) = cb0bebe99c6f4dc1b01601f2f3aee3a86da08fbd
 RMD160 (amarok-1.4.10.tar.bz2) = f86c71dd0459e0cf1ff586cd6de240ca6501cf62
 Size (amarok-1.4.10.tar.bz2) = 12812583 bytes
 SHA1 (patch-aa) = 53316f334f45a8a4780ae71061d528374a75cb5a
 SHA1 (patch-ab) = 91097c1d901fb66c5c8e593005c462b1874f50bf
+SHA1 (patch-ad) = eea8105897ce4cd9d4a086430ec0588125b3517b
diff --git a/audio/amarok/patches/patch-ad b/audio/amarok/patches/patch-ad
new file mode 100644
index 00000000000..9c5059c5a25
--- /dev/null
+++ b/audio/amarok/patches/patch-ad
@@ -0,0 +1,89 @@
+$NetBSD: patch-ad,v 1.1.2.2 2009/01/14 06:46:53 rtr Exp $
+
+Security fix, SVN r908415 from upstream 1.4.x branch.
+
+--- amarok/src/metadata/audible/audibletag.cpp.orig	2008-08-13 23:21:51.000000000 +0200
++++ amarok/src/metadata/audible/audibletag.cpp
+@@ -71,7 +71,8 @@ void Audible::Tag::readTags( FILE *fp )
+ {
+     char buf[1023];
+     fseek(fp, OFF_PRODUCT_ID, SEEK_SET);
+-    fread(buf, strlen("product_id"), 1, fp);
++    if (fread(buf, strlen("product_id"), 1, fp) != 1)
++        return;
+     if(memcmp(buf, "product_id", strlen("product_id")))
+     {
+         buf[20]='\0';
+@@ -130,24 +131,65 @@ void Audible::Tag::readTags( FILE *fp )
+ 
+ bool Audible::Tag::readTag( FILE *fp, char **name, char **value)
+ {
++    // arbitrary value that has to be smaller than 2^32-1 and that should be large enough for all tags                                                                                         
++    const uint32_t maxtaglen = 100000;    
++
+     uint32_t nlen;
+-    fread(&nlen, sizeof(nlen), 1, fp);
++    if (fread(&nlen, sizeof(nlen), 1, fp) != 1)
++        return false;
+     nlen = ntohl(nlen);
+     //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen);
+-    *name = new char[nlen+1];
+-    (*name)[nlen] = '\0';
++    if (nlen > maxtaglen)
++        return false;
+ 
+     uint32_t vlen;
+-    fread(&vlen, sizeof(vlen), 1, fp);
++    if (fread(&vlen, sizeof(vlen), 1, fp) != 1)
++        return false;
+     vlen = ntohl(vlen);
+     //fprintf(stderr, "tag len=%x\n", (unsigned)vlen);
++    if (vlen > maxtaglen)
++        return false;
++
++    *name = new char[nlen+1];
++    if (!*name)
++        return false;
++        
+     *value = new char[vlen+1];
++    if (!*value)
++    {
++        delete[] *name;
++        *name = 0;
++        return false;
++    }
++
++    (*name)[nlen] = '\0';
+     (*value)[vlen] = '\0';
+ 
+-    fread(*name, nlen, 1, fp);
+-    fread(*value, vlen, 1, fp);
++    if (fread(*name, nlen, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
++    if (fread(*value, vlen, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
+     char lasttag;
+-    fread(&lasttag, 1, 1, fp);
++    if (fread(&lasttag, 1, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
+     //fprintf(stderr, "%s: \"%s\"\n", *name, *value);
+ 
+     m_tagsEndOffset += 2 * 4 + nlen + vlen + 1;
author	rtr <rtr>	2009-01-14 06:46:53 +0000
committer	rtr <rtr>	2009-01-14 06:46:53 +0000
commit	e818019504a3eb2fb6364f40de19bdc68b54a0a3 (patch)
tree	4c1cfbffe323d834c50ff3abd3e3f7feb5624a4e /audio
parent	4de80b693235698d4dfeb417f284800f701bade6 (diff)
download	pkgsrc-e818019504a3eb2fb6364f40de19bdc68b54a0a3.tar.gz