apply a security fix from upstream CVS:

Check wLongsPerEntry before using it.
This fixes a potential crash for some values of it.
As a side effect it works around broken callocs with an integer
overflow vulnerability, but using MPlayer on such systems should
never be assumed to be safe!

This should fix SA26806 (http://secunia.com/advisories/26806/).

bump PKGREVISIONs

1 files changed, 26 insertions, 0 deletions

diff --git a/multimedia/mplayer-share/patches/patch-al b/multimedia/mplayer-share/patches/patch-al
new file mode 100644
index 00000000000..eaf84a00084
--- /dev/null
+++ b/multimedia/mplayer-share/patches/patch-al
@@ -0,0 +1,26 @@
+$NetBSD: patch-al,v 1.1 2007/09/13 19:16:01 drochner Exp $
+
+--- libmpdemux/aviheader.c.orig	2007-09-13 20:25:34.000000000 +0200
++++ libmpdemux/aviheader.c
+@@ -227,16 +227,16 @@ while(1){
+ 	  
+       print_avisuperindex_chunk(s,MSGL_V);
+       
+-      if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
+-        mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
+-        s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
+-      }
+-
+       // Check and fix this useless crap
+       if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) {
+           mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry);
+           s->wLongsPerEntry = sizeof(avisuperindex_entry)/4;
+       }
++      if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
++	mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
++	s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
++      }
++
+       s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry));
+       s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk));
+