diff options
author | drochner <drochner@pkgsrc.org> | 2008-03-19 16:09:35 +0000 |
---|---|---|
committer | drochner <drochner@pkgsrc.org> | 2008-03-19 16:09:35 +0000 |
commit | e38b0214bd7755b92bdba4686ecf7dd0538f5aaf (patch) | |
tree | 057bdf8d901e6ebfd021de8baa1753b7175a1dd2 /multimedia/xine-lib | |
parent | c088a7a80671392819f20840bbb6d47ff5e3dc18 (diff) | |
download | pkgsrc-e38b0214bd7755b92bdba4686ecf7dd0538f5aaf.tar.gz |
add patch from upstream to fix a buffer overflow in the SDP parser
(CVE-2008-0073)
bump PKGREVISION
Diffstat (limited to 'multimedia/xine-lib')
-rw-r--r-- | multimedia/xine-lib/Makefile | 4 | ||||
-rw-r--r-- | multimedia/xine-lib/distinfo | 4 | ||||
-rw-r--r-- | multimedia/xine-lib/patches/patch-ga | 59 | ||||
-rw-r--r-- | multimedia/xine-lib/patches/patch-gb | 22 |
4 files changed, 86 insertions, 3 deletions
diff --git a/multimedia/xine-lib/Makefile b/multimedia/xine-lib/Makefile index 4b39d52cd6d..3aabc9e8953 100644 --- a/multimedia/xine-lib/Makefile +++ b/multimedia/xine-lib/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.55 2008/02/11 15:03:18 tnn Exp $ +# $NetBSD: Makefile,v 1.56 2008/03/19 16:09:35 drochner Exp $ .include "Makefile.common" COMMENT= Multimedia player library -PKGREVISION= 1 +PKGREVISION= 2 BUILDLINK_API_DEPENDS.vcdimager+= vcdimager>=0.7.20nb1 diff --git a/multimedia/xine-lib/distinfo b/multimedia/xine-lib/distinfo index 6fc932e2c9a..127e7ef5007 100644 --- a/multimedia/xine-lib/distinfo +++ b/multimedia/xine-lib/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.51 2008/02/08 17:43:06 drochner Exp $ +$NetBSD: distinfo,v 1.52 2008/03/19 16:09:35 drochner Exp $ SHA1 (xine-lib-1.1.10.1.tar.bz2) = d77747206d19b48fd11a1dc36f3ac5ad3526c415 RMD160 (xine-lib-1.1.10.1.tar.bz2) = 4b2b67c85dad8e35dfa9352c39d2bb6cd1ecb4b1 @@ -30,3 +30,5 @@ SHA1 (patch-dc) = 11c4212029e67f22796e57706b42400a0dbcac3a SHA1 (patch-eb) = b65e2c7c30fc04115d55da1ce1f6f65216ac1d23 SHA1 (patch-ee) = 49efc9d722f2141e88106d87414586ab80e4f5a9 SHA1 (patch-fa) = a69fe09588596bfc3d74fad29e5a1aeeeead4dfd +SHA1 (patch-ga) = 296bb0f539f1a257df9f64331e8d62a8178f4077 +SHA1 (patch-gb) = 090436cd93c4b8f5fd6e4c1d313e69f9d49bd6c3 diff --git a/multimedia/xine-lib/patches/patch-ga b/multimedia/xine-lib/patches/patch-ga new file mode 100644 index 00000000000..2f777bff1d5 --- /dev/null +++ b/multimedia/xine-lib/patches/patch-ga @@ -0,0 +1,59 @@ +$NetBSD: patch-ga,v 1.3 2008/03/19 16:09:35 drochner Exp $ + +--- src/input/libreal/sdpplin.c.orig 2008-03-19 16:33:16.000000000 +0100 ++++ src/input/libreal/sdpplin.c +@@ -143,7 +143,14 @@ static sdpplin_stream_t *sdpplin_parse_s + handled=0; + + if(filter(*data,"a=control:streamid=",&buf)) { +- desc->stream_id=atoi(buf); ++ /* This way negative values are mapped to unfeasibly high ++ * values, and will be discarded afterward ++ */ ++ unsigned long tmp = strtoul(buf, NULL, 10); ++ if ( tmp > UINT16_MAX ) ++ lprintf("stream id out of bound: %lu\n", tmp); ++ else ++ desc->stream_id=tmp; + handled=1; + *data=nl(*data); + } +@@ -199,7 +206,7 @@ static sdpplin_stream_t *sdpplin_parse_s + if(filter(*data,"a=OpaqueData:buffer;",&buf)) { + decoded = b64_decode(buf, decoded, &(desc->mlti_data_size)); + if ( decoded != NULL ) { +- desc->mlti_data = malloc(sizeof(char)*desc->mlti_data_size); ++ desc->mlti_data = calloc(desc->mlti_data_size, sizeof(char)); + memcpy(desc->mlti_data, decoded, desc->mlti_data_size); + handled=1; + *data=nl(*data); +@@ -252,7 +259,10 @@ sdpplin_t *sdpplin_parse(char *data) { + } + stream=sdpplin_parse_stream(&data); + lprintf("got data for stream id %u\n", stream->stream_id); +- desc->stream[stream->stream_id]=stream; ++ if ( stream->stream_id >= desc->stream_count ) ++ lprintf("stream id %u is greater than stream count %u\n", stream->stream_id, desc->stream_count); ++ else ++ desc->stream[stream->stream_id]=stream; + continue; + } + +@@ -293,8 +303,15 @@ sdpplin_t *sdpplin_parse(char *data) { + } + + if(filter(data,"a=StreamCount:integer;",&buf)) { +- desc->stream_count=atoi(buf); +- desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count); ++ /* This way negative values are mapped to unfeasibly high ++ * values, and will be discarded afterward ++ */ ++ unsigned long tmp = strtoul(buf, NULL, 10); ++ if ( tmp > UINT16_MAX ) ++ lprintf("stream count out of bound: %lu\n", tmp); ++ else ++ desc->stream_count = tmp; ++ desc->stream = calloc(desc->stream_count, sizeof(sdpplin_stream_t*)); + handled=1; + data=nl(data); + } diff --git a/multimedia/xine-lib/patches/patch-gb b/multimedia/xine-lib/patches/patch-gb new file mode 100644 index 00000000000..f5c0baef010 --- /dev/null +++ b/multimedia/xine-lib/patches/patch-gb @@ -0,0 +1,22 @@ +$NetBSD: patch-gb,v 1.3 2008/03/19 16:09:35 drochner Exp $ + +--- src/input/libreal/sdpplin.h.orig 2008-01-23 06:11:52.000000000 +0100 ++++ src/input/libreal/sdpplin.h +@@ -37,7 +37,7 @@ typedef struct { + char *id; + char *bandwidth; + +- int stream_id; ++ uint16_t stream_id; + char *range; + char *length; + char *rtpmap; +@@ -81,7 +81,7 @@ typedef struct { + + int flags; + int is_real_data_type; +- int stream_count; ++ uint16_t stream_count; + char *title; + char *author; + char *copyright; |