diff options
author | drochner <drochner@pkgsrc.org> | 2007-09-13 19:16:01 +0000 |
---|---|---|
committer | drochner <drochner@pkgsrc.org> | 2007-09-13 19:16:01 +0000 |
commit | 3a7069df431d892e971bbbbb38badadec6132090 (patch) | |
tree | 8cee033d941914021ef4a28fb02e2c9c627632ff /multimedia/mplayer-share/patches | |
parent | 146368a8acb07c5e1d4f799391c09a061bacfc7c (diff) | |
download | pkgsrc-3a7069df431d892e971bbbbb38badadec6132090.tar.gz |
apply a security fix from upstream CVS:
Check wLongsPerEntry before using it.
This fixes a potential crash for some values of it.
As a side effect it works around broken callocs with an integer
overflow vulnerability, but using MPlayer on such systems should
never be assumed to be safe!
This should fix SA26806 (http://secunia.com/advisories/26806/).
bump PKGREVISIONs
Diffstat (limited to 'multimedia/mplayer-share/patches')
-rw-r--r-- | multimedia/mplayer-share/patches/patch-al | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/multimedia/mplayer-share/patches/patch-al b/multimedia/mplayer-share/patches/patch-al new file mode 100644 index 00000000000..eaf84a00084 --- /dev/null +++ b/multimedia/mplayer-share/patches/patch-al @@ -0,0 +1,26 @@ +$NetBSD: patch-al,v 1.1 2007/09/13 19:16:01 drochner Exp $ + +--- libmpdemux/aviheader.c.orig 2007-09-13 20:25:34.000000000 +0200 ++++ libmpdemux/aviheader.c +@@ -227,16 +227,16 @@ while(1){ + + print_avisuperindex_chunk(s,MSGL_V); + +- if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){ +- mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n"); +- s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry; +- } +- + // Check and fix this useless crap + if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) { + mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry); + s->wLongsPerEntry = sizeof(avisuperindex_entry)/4; + } ++ if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){ ++ mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n"); ++ s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry; ++ } ++ + s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry)); + s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk)); + |