add patches from upstream to plug 2 security problems:

-heap overflow in the AVI file parser (CVE-2011-2588)
-heap overflow in the Real Media file parser (CVE-2011-2587)
bump PKGREV

4 files changed, 54 insertions, 2 deletions

diff --git a/multimedia/vlc/Makefile b/multimedia/vlc/Makefile
index a704d73b957..81b504e47a2 100644
--- a/multimedia/vlc/Makefile
+++ b/multimedia/vlc/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.112 2011/06/07 13:59:17 drochner Exp $
+# $NetBSD: Makefile,v 1.113 2011/07/18 17:06:42 drochner Exp $
 #
 
 DISTNAME=		vlc-${VLC_VERSION}
+PKGREVISION=		1
 CATEGORIES=		multimedia
 MASTER_SITES=		${MASTER_SITE_SOURCEFORGE:=vlc/} \
 			http://download.videolan.org/pub/videolan/vlc/${VLC_VERSION}/
diff --git a/multimedia/vlc/distinfo b/multimedia/vlc/distinfo
index 440a889d8c7..380b07b17af 100644
--- a/multimedia/vlc/distinfo
+++ b/multimedia/vlc/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.45 2011/06/07 13:59:17 drochner Exp $
+$NetBSD: distinfo,v 1.46 2011/07/18 17:06:42 drochner Exp $
 
 SHA1 (vlc-1.1.10.tar.bz2) = 6c7b3fefb2ad1e2ab53d17eabf509a318b76ef03
 RMD160 (vlc-1.1.10.tar.bz2) = 8a4b32bceb2eb3d9a3a062477f772a53098cad0b
@@ -9,4 +9,6 @@ SHA1 (patch-ap) = 423b571ca8a1b740812aea021e331912ba34c868
 SHA1 (patch-ar) = 25d22167cef8b8fa2a07ef633de196726eb354d2
 SHA1 (patch-as) = b53b074b2791d7bf69d5f09c7c32d873608f3086
 SHA1 (patch-at) = 5761ec0809d2b03511666ae81f7b4ae01b6f5930
+SHA1 (patch-au) = 551dd7d84e3e74a95891a708330af8a9e315c4d8
+SHA1 (patch-av) = 892a0e260e594d0ec736f79b1e0e037d6c1a9685
 SHA1 (patch-configure) = 83f476cc71d795a69f787713a04471e078c0ec52
diff --git a/multimedia/vlc/patches/patch-au b/multimedia/vlc/patches/patch-au
new file mode 100644
index 00000000000..b853199fac2
--- /dev/null
+++ b/multimedia/vlc/patches/patch-au
@@ -0,0 +1,25 @@
+$NetBSD: patch-au,v 1.7 2011/07/18 17:06:43 drochner Exp $
+
+CVE-2011-2588
+
+--- modules/demux/avi/libavi.c.orig	2011-05-06 15:41:42.000000000 +0000
++++ modules/demux/avi/libavi.c
+@@ -386,7 +386,8 @@ static int AVI_ChunkRead_strf( stream_t 
+         case( AVIFOURCC_vids ):
+             p_strh->strh.i_samplesize = 0; /* XXX for ffmpeg avi file */
+             p_chk->strf.vids.i_cat = VIDEO_ES;
+-            p_chk->strf.vids.p_bih = malloc( p_chk->common.i_chunk_size );
++            p_chk->strf.vids.p_bih = malloc( __MAX( p_chk->common.i_chunk_size,
++                                         sizeof( *p_chk->strf.vids.p_bih ) ) );
+             AVI_READ4BYTES( p_chk->strf.vids.p_bih->biSize );
+             AVI_READ4BYTES( p_chk->strf.vids.p_bih->biWidth );
+             AVI_READ4BYTES( p_chk->strf.vids.p_bih->biHeight );
+@@ -402,7 +403,7 @@ static int AVI_ChunkRead_strf( stream_t 
+             {
+                 p_chk->strf.vids.p_bih->biSize = p_chk->common.i_chunk_size;
+             }
+-            if( p_chk->common.i_chunk_size - sizeof(BITMAPINFOHEADER) > 0 )
++            if( p_chk->common.i_chunk_size > sizeof(BITMAPINFOHEADER) )
+             {
+                 memcpy( &p_chk->strf.vids.p_bih[1],
+                         p_buff + 8 + sizeof(BITMAPINFOHEADER), /* 8=fourrc+size */
diff --git a/multimedia/vlc/patches/patch-av b/multimedia/vlc/patches/patch-av
new file mode 100644
index 00000000000..42f62bf48d0
--- /dev/null
+++ b/multimedia/vlc/patches/patch-av
@@ -0,0 +1,24 @@
+$NetBSD: patch-av,v 1.3 2011/07/18 17:06:43 drochner Exp $
+
+CVE-2011-2587
+
+--- modules/demux/real.c.orig	2010-12-29 21:38:25.000000000 +0000
++++ modules/demux/real.c
+@@ -841,7 +841,8 @@ static void DemuxAudioSipr( demux_t *p_d
+     demux_sys_t *p_sys = p_demux->p_sys;
+     block_t *p_block = tk->p_sipr_packet;
+ 
+-    if( p_sys->i_buffer < tk->i_frame_size )
++    if( p_sys->i_buffer < tk->i_frame_size
++     || tk->i_sipr_subpacket_count >= tk->i_subpacket_h )
+         return;
+ 
+     if( !p_block )
+@@ -851,7 +852,6 @@ static void DemuxAudioSipr( demux_t *p_d
+             return;
+         tk->p_sipr_packet = p_block;
+     }
+-
+     memcpy( p_block->p_buffer + tk->i_sipr_subpacket_count * tk->i_frame_size,
+             p_sys->buffer, tk->i_frame_size );
+     if (!tk->i_sipr_subpacket_count)