add a patch from upstream CVS to fix an integer overflow in the

Quicktime demuxer, bump PKGREVISION

1 files changed, 26 insertions, 0 deletions

diff --git a/multimedia/xine-lib/patches/patch-ay b/multimedia/xine-lib/patches/patch-ay
new file mode 100644
index 00000000000..9630bd4f2f8
--- /dev/null
+++ b/multimedia/xine-lib/patches/patch-ay
@@ -0,0 +1,26 @@
+$NetBSD: patch-ay,v 1.7 2009/04/05 13:15:01 drochner Exp $
+
+--- src/demuxers/demux_qt.c.orig	2009-04-05 11:28:05.000000000 +0200
++++ src/demuxers/demux_qt.c
+@@ -1535,7 +1535,8 @@ static qt_error parse_trak_atom (qt_trak
+     } else if (current_atom == STTS_ATOM) {
+ 
+       /* there should only be one of these atoms */
+-      if (trak->time_to_sample_table) {
++      if (trak->time_to_sample_table
++	  || current_atom_size < 12 || current_atom_size >= UINT_MAX) {
+         last_error = QT_HEADER_TROUBLE;
+         goto free_trak;
+       }
+@@ -1545,6 +1546,11 @@ static qt_error parse_trak_atom (qt_trak
+       debug_atom_load("    qt stts atom (time-to-sample atom): %d entries\n",
+         trak->time_to_sample_count);
+ 
++      if (trak->time_to_sample_count > (current_atom_size - 12) / 8) {
++	last_error = QT_HEADER_TROUBLE;
++	goto free_trak;
++      }
++
+       trak->time_to_sample_table = (time_to_sample_table_t *)calloc(
+         trak->time_to_sample_count+1, sizeof(time_to_sample_table_t));
+       if (!trak->time_to_sample_table) {