add a patch from upstream to fix a buffer overflow in vorbis coverart

code (CVE-2009-0586), bump PKGREVISION

3 files changed, 91 insertions, 2 deletions

diff --git a/multimedia/gst-plugins0.10-base/Makefile b/multimedia/gst-plugins0.10-base/Makefile
index 63cf3e402d3..bd3de671942 100644
--- a/multimedia/gst-plugins0.10-base/Makefile
+++ b/multimedia/gst-plugins0.10-base/Makefile
@@ -1,9 +1,11 @@
-# $NetBSD: Makefile,v 1.10 2009/01/26 10:39:01 drochner Exp $
+# $NetBSD: Makefile,v 1.11 2009/03/23 12:03:24 drochner Exp $
 #
 PKG_DESTDIR_SUPPORT=	user-destdir
 
 .include "Makefile.common"
 
+PKGREVISION=		1
+
 COMMENT+=		base plugins
 
 # some plugins were moved from bad to base
diff --git a/multimedia/gst-plugins0.10-base/distinfo b/multimedia/gst-plugins0.10-base/distinfo
index c5e59aa1eb3..e6b53b28831 100644
--- a/multimedia/gst-plugins0.10-base/distinfo
+++ b/multimedia/gst-plugins0.10-base/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.20 2009/01/26 10:39:01 drochner Exp $
+$NetBSD: distinfo,v 1.21 2009/03/23 12:03:24 drochner Exp $
 
 SHA1 (gst-plugins-base-0.10.22.tar.bz2) = 8e6a894858f5412234ce1591bbb773102c150cb7
 RMD160 (gst-plugins-base-0.10.22.tar.bz2) = 013de77422d6e89b64cf55ff7299b0ff1e38ef8a
@@ -6,3 +6,4 @@ Size (gst-plugins-base-0.10.22.tar.bz2) = 2118085 bytes
 SHA1 (patch-aa) = be36e5a0f1de11900df7c510e7a9a03dd19d6e85
 SHA1 (patch-ab) = 0a739fbee2c49d75e9164c2b083820fd9d27c34a
 SHA1 (patch-ac) = 3a8a102f2c0740f481e115d68bc44d9e2bf66aae
+SHA1 (patch-ad) = f10ef3184acacf800ca50839e95fbd358f892cc9
diff --git a/multimedia/gst-plugins0.10-base/patches/patch-ad b/multimedia/gst-plugins0.10-base/patches/patch-ad
new file mode 100644
index 00000000000..b7da3332822
--- /dev/null
+++ b/multimedia/gst-plugins0.10-base/patches/patch-ad
@@ -0,0 +1,86 @@
+$NetBSD: patch-ad,v 1.1 2009/03/23 12:03:24 drochner Exp $
+
+--- gst-libs/gst/tag/gstvorbistag.c.orig	2008-10-11 01:22:50.000000000 +0200
++++ gst-libs/gst/tag/gstvorbistag.c
+@@ -305,30 +305,32 @@ gst_vorbis_tag_add (GstTagList * list, c
+ }
+ 
+ static void
+-gst_vorbis_tag_add_coverart (GstTagList * tags, const gchar * img_data_base64,
++gst_vorbis_tag_add_coverart (GstTagList * tags, gchar * img_data_base64,
+     gint base64_len)
+ {
+   GstBuffer *img;
+-  guchar *img_data;
+   gsize img_len;
++  guchar *out;
+   guint save = 0;
+   gint state = 0;
+ 
+   if (base64_len < 2)
+     goto not_enough_data;
+ 
+-  img_data = g_try_malloc0 (base64_len * 3 / 4);
+-
+-  if (img_data == NULL)
+-    goto alloc_failed;
+-
+-  img_len = g_base64_decode_step (img_data_base64, base64_len, img_data,
+-      &state, &save);
++  /* img_data_base64 points to a temporary copy of the base64 encoded data, so
++   * it's safe to do inpace decoding here
++   * TODO: glib 2.20 and later provides g_base64_decode_inplace, so change this
++   * to use glib's API instead once it's in wider use:
++   *  http://bugzilla.gnome.org/show_bug.cgi?id=564728
++   *  http://svn.gnome.org/viewvc/glib?view=revision&revision=7807 */
++  out = (guchar *) img_data_base64;
++  img_len = g_base64_decode_step (img_data_base64, base64_len,
++      out, &state, &save);
+ 
+   if (img_len == 0)
+     goto decode_failed;
+ 
+-  img = gst_tag_image_data_to_image_buffer (img_data, img_len,
++  img = gst_tag_image_data_to_image_buffer (out, img_len,
+       GST_TAG_IMAGE_TYPE_NONE);
+ 
+   if (img == NULL)
+@@ -338,7 +340,6 @@ gst_vorbis_tag_add_coverart (GstTagList 
+       GST_TAG_PREVIEW_IMAGE, img, NULL);
+ 
+   gst_buffer_unref (img);
+-  g_free (img_data);
+   return;
+ 
+ /* ERRORS */
+@@ -347,21 +348,14 @@ not_enough_data:
+     GST_WARNING ("COVERART tag with too little base64-encoded data");
+     return;
+   }
+-alloc_failed:
+-  {
+-    GST_WARNING ("Couldn't allocate enough memory to decode COVERART tag");
+-    return;
+-  }
+ decode_failed:
+   {
+-    GST_WARNING ("Couldn't decode bas64 image data from COVERART tag");
+-    g_free (img_data);
++    GST_WARNING ("Couldn't decode base64 image data from COVERART tag");
+     return;
+   }
+ convert_failed:
+   {
+     GST_WARNING ("Couldn't extract image or image type from COVERART tag");
+-    g_free (img_data);
+     return;
+   }
+ }
+@@ -457,6 +451,7 @@ error:
+   return NULL;
+ #undef ADVANCE
+ }
++
+ typedef struct
+ {
+   guint count;