diff options
| author | drochner <drochner> | 2009-02-02 19:20:48 +0000 |
|---|---|---|
| committer | drochner <drochner> | 2009-02-02 19:20:48 +0000 |
| commit | c1210f86456bbb9754b5eeb0c259201743e51125 (patch) | |
| tree | 63db29cf14ede2c0ac2f7ef3d8ceffb50b7a9e8b /multimedia/mplayer-share/patches/patch-ap | |
| parent | 2c8d995b2d628770385967b71df71bb4db8fe0b1 (diff) | |
| download | pkgsrc-c1210f86456bbb9754b5eeb0c259201743e51125.tar.gz | |
-add a patch from upstream to fix CVE-2008-3162
(stack-based buffer overflow in the str_read_packet function in
libavformat/psxstr.c)
-add (a modified version of) the ffmpeg 4xm patch which fixes
possible memory corruption
bump PKGREVISION
Diffstat (limited to 'multimedia/mplayer-share/patches/patch-ap')
| -rw-r--r-- | multimedia/mplayer-share/patches/patch-ap | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/multimedia/mplayer-share/patches/patch-ap b/multimedia/mplayer-share/patches/patch-ap new file mode 100644 index 00000000000..ba49c896e34 --- /dev/null +++ b/multimedia/mplayer-share/patches/patch-ap @@ -0,0 +1,54 @@ +$NetBSD: patch-ap,v 1.1 2009/02/02 19:20:49 drochner Exp $ + +--- libavformat/psxstr.c.orig 2007-10-07 21:49:38.000000000 +0200 ++++ libavformat/psxstr.c +@@ -276,12 +276,23 @@ static int str_read_packet(AVFormatConte + int current_sector = AV_RL16(§or[0x1C]); + int sector_count = AV_RL16(§or[0x1E]); + int frame_size = AV_RL32(§or[0x24]); +- int bytes_to_copy; ++ ++ if(!( frame_size>=0 ++ && current_sector < sector_count ++ && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){ ++ av_log(s, AV_LOG_ERROR, "Invalid parameters %d %d %d\n", current_sector, sector_count, frame_size); ++ return AVERROR_INVALIDDATA; ++ } ++ + // printf("%d %d %d\n",current_sector,sector_count,frame_size); + /* if this is the first sector of the frame, allocate a pkt */ + pkt = &str->tmp_pkt; +- if (current_sector == 0) { +- if (av_new_packet(pkt, frame_size)) ++ ++ if(pkt->size != sector_count*VIDEO_DATA_CHUNK_SIZE){ ++ if(pkt->data) ++ av_log(s, AV_LOG_ERROR, "missmatching sector_count\n"); ++ av_free_packet(pkt); ++ if (av_new_packet(pkt, sector_count*VIDEO_DATA_CHUNK_SIZE)) + return AVERROR(EIO); + + pkt->pos= url_ftell(pb) - RAW_CD_SECTOR_SIZE; +@@ -295,15 +306,15 @@ static int str_read_packet(AVFormatConte + str->pts += (90000 / 15); + } + +- /* load all the constituent chunks in the video packet */ +- bytes_to_copy = frame_size - current_sector*VIDEO_DATA_CHUNK_SIZE; +- if (bytes_to_copy>0) { +- if (bytes_to_copy>VIDEO_DATA_CHUNK_SIZE) bytes_to_copy=VIDEO_DATA_CHUNK_SIZE; +- memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE, +- sector + VIDEO_DATA_HEADER_SIZE, bytes_to_copy); +- } ++ memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE, ++ sector + VIDEO_DATA_HEADER_SIZE, ++ VIDEO_DATA_CHUNK_SIZE); ++ + if (current_sector == sector_count-1) { ++ pkt->size= frame_size; + *ret_pkt = *pkt; ++ pkt->data= NULL; ++ pkt->size= -1; + return 0; + } + |