summaryrefslogtreecommitdiff
path: root/multimedia/gst-plugins0.10-good
diff options
context:
space:
mode:
authordrochner <drochner@pkgsrc.org>2009-06-05 10:48:37 +0000
committerdrochner <drochner@pkgsrc.org>2009-06-05 10:48:37 +0000
commit4caeda64ee7d2ff33522cfa862b6d24cf41906f1 (patch)
tree3d725323af05e6f62294700938d2658d0b27e1f8 /multimedia/gst-plugins0.10-good
parentda7e4d45489114b73a74ab980219344cbf5264a6 (diff)
downloadpkgsrc-4caeda64ee7d2ff33522cfa862b6d24cf41906f1.tar.gz
add a security patch from upstream CVS:
A malformed (or simply huge) PNG file can lead to integer overflow in calculating the size of the output buffer, leading to crashes or buffer overflows later. Fixes SA35205 security advisory. bump PKGREVISION of affected plugin
Diffstat (limited to 'multimedia/gst-plugins0.10-good')
-rw-r--r--multimedia/gst-plugins0.10-good/distinfo3
-rw-r--r--multimedia/gst-plugins0.10-good/patches/patch-ad52
2 files changed, 54 insertions, 1 deletions
diff --git a/multimedia/gst-plugins0.10-good/distinfo b/multimedia/gst-plugins0.10-good/distinfo
index 595b583de43..664fa546ed5 100644
--- a/multimedia/gst-plugins0.10-good/distinfo
+++ b/multimedia/gst-plugins0.10-good/distinfo
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.20 2009/05/25 15:50:12 drochner Exp $
+$NetBSD: distinfo,v 1.21 2009/06/05 10:48:37 drochner Exp $
SHA1 (gst-plugins-good-0.10.15.tar.bz2) = b37611f5b4e28c19159ed3f71aeaf7dfff513174
RMD160 (gst-plugins-good-0.10.15.tar.bz2) = 6caa4c4f93285f03c15c23ac0ae5d390c20bfd07
Size (gst-plugins-good-0.10.15.tar.bz2) = 2354906 bytes
SHA1 (patch-ab) = ab70993a71c4b288c21e72847186011c33bd0fb1
SHA1 (patch-ac) = 8867119011dc8cca89cc3a35fb3f095212887bf7
+SHA1 (patch-ad) = af76828f5ee9ae7b41fd66da8703fbede3d464c1
SHA1 (patch-ba) = e296bbcfc606967b71765988ae1c3ffe96b9359a
diff --git a/multimedia/gst-plugins0.10-good/patches/patch-ad b/multimedia/gst-plugins0.10-good/patches/patch-ad
new file mode 100644
index 00000000000..461d933fc9b
--- /dev/null
+++ b/multimedia/gst-plugins0.10-good/patches/patch-ad
@@ -0,0 +1,52 @@
+$NetBSD: patch-ad,v 1.5 2009/06/05 10:48:38 drochner Exp $
+
+--- ext/libpng/gstpngdec.c.orig 2009-05-12 02:00:06.000000000 +0200
++++ ext/libpng/gstpngdec.c
+@@ -201,7 +201,14 @@ user_info_callback (png_structp png_ptr,
+
+ /* Allocate output buffer */
+ pngdec->rowbytes = png_get_rowbytes (pngdec->png, pngdec->info);
+- buffer_size = pngdec->height * GST_ROUND_UP_4 (pngdec->rowbytes);
++ if (pngdec->rowbytes > (G_MAXUINT32 - 3)
++ || pngdec->height > G_MAXUINT32 / pngdec->rowbytes) {
++ ret = GST_FLOW_ERROR;
++ goto beach;
++ }
++ pngdec->rowbytes = GST_ROUND_UP_4 (pngdec->rowbytes);
++ buffer_size = pngdec->height * pngdec->rowbytes;
++
+ ret =
+ gst_pad_alloc_buffer_and_set_caps (pngdec->srcpad, GST_BUFFER_OFFSET_NONE,
+ buffer_size, GST_PAD_CAPS (pngdec->srcpad), &buffer);
+@@ -228,7 +235,7 @@ user_endrow_callback (png_structp png_pt
+ /* If buffer_out doesn't exist, it means buffer_alloc failed, which
+ * will already have set the return code */
+ if (GST_IS_BUFFER (pngdec->buffer_out)) {
+- size_t offset = row_num * GST_ROUND_UP_4 (pngdec->rowbytes);
++ size_t offset = row_num * pngdec->rowbytes;
+
+ GST_LOG ("got row %u, copying in buffer %p at offset %" G_GSIZE_FORMAT,
+ (guint) row_num, pngdec->buffer_out, offset);
+@@ -496,7 +503,12 @@ gst_pngdec_task (GstPad * pad)
+
+ /* Allocate output buffer */
+ rowbytes = png_get_rowbytes (pngdec->png, pngdec->info);
+- buffer_size = pngdec->height * GST_ROUND_UP_4 (rowbytes);
++ if (rowbytes > (G_MAXUINT32 - 3) || pngdec->height > G_MAXUINT32 / rowbytes) {
++ ret = GST_FLOW_ERROR;
++ goto pause;
++ }
++ rowbytes = GST_ROUND_UP_4 (rowbytes);
++ buffer_size = pngdec->height * rowbytes;
+ ret =
+ gst_pad_alloc_buffer_and_set_caps (pngdec->srcpad, GST_BUFFER_OFFSET_NONE,
+ buffer_size, GST_PAD_CAPS (pngdec->srcpad), &buffer);
+@@ -509,7 +521,7 @@ gst_pngdec_task (GstPad * pad)
+
+ for (i = 0; i < pngdec->height; i++) {
+ rows[i] = inp;
+- inp += GST_ROUND_UP_4 (rowbytes);
++ inp += rowbytes;
+ }
+
+ /* Read the actual picture */