pull in the patch for the ASF demuxer security flaw from vlc2, the

code is almost identical
bump PKGREV
thanks to Daniel Horecki for the hint

3 files changed, 164 insertions, 3 deletions

diff --git a/multimedia/vlc/Makefile b/multimedia/vlc/Makefile
index 5a8bf7e8c0d..011f7885c6f 100644
--- a/multimedia/vlc/Makefile
+++ b/multimedia/vlc/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.148 2013/01/26 21:38:29 adam Exp $
+# $NetBSD: Makefile,v 1.149 2013/02/05 18:53:34 drochner Exp $
 #
 
 DISTNAME=		vlc-${VLC_VERSION}
-PKGREVISION=		20
+PKGREVISION=		21
 CATEGORIES=		multimedia
 MASTER_SITES=		${MASTER_SITE_SOURCEFORGE:=vlc/} \
 			http://download.videolan.org/pub/videolan/vlc/${VLC_VERSION}/
diff --git a/multimedia/vlc/distinfo b/multimedia/vlc/distinfo
index 00abedb5246..ecd7a673600 100644
--- a/multimedia/vlc/distinfo
+++ b/multimedia/vlc/distinfo
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.56 2013/01/22 11:46:23 wiz Exp $
+$NetBSD: distinfo,v 1.57 2013/02/05 18:53:34 drochner Exp $
 
 SHA1 (vlc-1.1.13.tar.bz2) = 05bbc7ff427f3b919b29a45ce014caff9ba92648
 RMD160 (vlc-1.1.13.tar.bz2) = c5aa438a9085ddbf28e849df442b75475693290d
 Size (vlc-1.1.13.tar.bz2) = 26226587 bytes
+SHA1 (patch-SA1302) = 9c654eca6f4e689ce2d5c563c6f19dc7705e418b
 SHA1 (patch-aa) = 684f7ad6a20ed6b9b8a8be2fc61836e6b471b686
 SHA1 (patch-ab) = bf5aaf7c201d0c28796956f58ebeb769a15d454e
 SHA1 (patch-ac) = d00c4037f29b84730156355e5635b485d996d3c6
diff --git a/multimedia/vlc/patches/patch-SA1302 b/multimedia/vlc/patches/patch-SA1302
new file mode 100644
index 00000000000..010238e2aa8
--- /dev/null
+++ b/multimedia/vlc/patches/patch-SA1302
@@ -0,0 +1,160 @@
+$NetBSD: patch-SA1302,v 1.1 2013/02/05 18:53:34 drochner Exp $
+
+upstream commit 330ba2296cd6841d0e8f0be40ef84966d5540fd3
+(manually adjusted)
+
+--- modules/demux/asf/asf.c.orig	2011-07-12 18:11:24.000000000 +0000
++++ modules/demux/asf/asf.c
+@@ -384,15 +384,30 @@ static mtime_t GetMoviePTS( demux_sys_t 
+     return i_time;
+ }
+ 
+-#define GETVALUE2b( bits, var, def ) \
+-    switch( (bits)&0x03 ) \
+-    { \
+-        case 1: var = p_peek[i_skip]; i_skip++; break; \
+-        case 2: var = GetWLE( p_peek + i_skip );  i_skip+= 2; break; \
+-        case 3: var = GetDWLE( p_peek + i_skip ); i_skip+= 4; break; \
+-        case 0: \
+-        default: var = def; break;\
++static inline int GetValue2b(int *var, const uint8_t *p, int *skip, int left, int bits)
++{
++    switch(bits&0x03)
++    {
++    case 1:
++        if (left < 1)
++            return -1;
++        *var = p[*skip]; *skip += 1;
++        return 0;
++    case 2:
++        if (left < 2)
++            return -1;
++        *var = GetWLE(&p[*skip]); *skip += 2;
++        return 0;
++    case 3:
++        if (left < 4)
++            return -1;
++        *var = GetDWLE(&p[*skip]); *skip += 4;
++        return 0;
++    case 0:
++    default:
++        return 0;
+     }
++}
+ 
+ static int DemuxPacket( demux_t *p_demux )
+ {
+@@ -406,15 +421,15 @@ static int DemuxPacket( demux_t *p_demux
+     int         i_packet_property;
+ 
+     int         b_packet_multiple_payload;
+-    int         i_packet_length;
+-    int         i_packet_sequence;
+-    int         i_packet_padding_length;
++    int         i_packet_length = i_data_packet_min;
++    int         i_packet_sequence = 0;
++    int         i_packet_padding_length = 0;
+ 
+     uint32_t    i_packet_send_time;
+-    uint16_t    i_packet_duration;
+     int         i_payload;
+     int         i_payload_count;
+     int         i_payload_length_type;
++    int         peek_size;
+ 
+ 
+     if( stream_Peek( p_demux->s, &p_peek,i_data_packet_min)<i_data_packet_min )
+@@ -422,6 +437,7 @@ static int DemuxPacket( demux_t *p_demux
+         msg_Warn( p_demux, "cannot peek while getting new packet, EOF ?" );
+         return 0;
+     }
++    peek_size = i_data_packet_min;
+     i_skip = 0;
+ 
+     /* *** parse error correction if present *** */
+@@ -462,9 +478,12 @@ static int DemuxPacket( demux_t *p_demux
+     b_packet_multiple_payload = i_packet_flags&0x01;
+ 
+     /* read some value */
+-    GETVALUE2b( i_packet_flags >> 5, i_packet_length, i_data_packet_min );
+-    GETVALUE2b( i_packet_flags >> 1, i_packet_sequence, 0 );
+-    GETVALUE2b( i_packet_flags >> 3, i_packet_padding_length, 0 );
++    if (GetValue2b(&i_packet_length, p_peek, &i_skip, peek_size - i_skip, i_packet_flags >> 5) < 0)
++        goto loop_error_recovery;
++    if (GetValue2b(&i_packet_sequence, p_peek, &i_skip, peek_size - i_skip, i_packet_flags >> 1) < 0)
++        goto loop_error_recovery;
++    if (GetValue2b(&i_packet_padding_length, p_peek, &i_skip, peek_size - i_skip, i_packet_flags >> 3) < 0)
++        goto loop_error_recovery;
+ 
+     if( i_packet_padding_length > i_packet_length )
+     {
+@@ -473,7 +492,7 @@ static int DemuxPacket( demux_t *p_demux
+     }
+ 
+     i_packet_send_time = GetDWLE( p_peek + i_skip ); i_skip += 4;
+-    i_packet_duration  = GetWLE( p_peek + i_skip ); i_skip += 2;
++    /* uint16_t i_packet_duration = GetWLE( p_peek + i_skip ); */ i_skip += 2;
+ 
+     /* FIXME I have to do that for some file, I don't known why */
+     i_packet_size_left = i_data_packet_min /*i_packet_length*/ ;
+@@ -496,13 +515,13 @@ static int DemuxPacket( demux_t *p_demux
+ 
+         int i_packet_keyframe;
+         int i_stream_number;
+-        int i_media_object_number;
++        int i_media_object_number = 0;
+         int i_media_object_offset;
+-        int i_replicated_data_length;
+-        int i_payload_data_length;
++        int i_replicated_data_length = 0;
++        int i_payload_data_length = 0;
+         int i_payload_data_pos;
+         int i_sub_payload_data_length;
+-        int i_tmp;
++        int i_tmp = 0;
+ 
+         mtime_t i_pts;
+         mtime_t i_pts_delta;
+@@ -516,9 +535,12 @@ static int DemuxPacket( demux_t *p_demux
+         i_packet_keyframe = p_peek[i_skip] >> 7;
+         i_stream_number = p_peek[i_skip++] & 0x7f;
+ 
+-        GETVALUE2b( i_packet_property >> 4, i_media_object_number, 0 );
+-        GETVALUE2b( i_packet_property >> 2, i_tmp, 0 );
+-        GETVALUE2b( i_packet_property, i_replicated_data_length, 0 );
++        if (GetValue2b(&i_media_object_number, p_peek, &i_skip, peek_size - i_skip, i_packet_property >> 4) < 0)
++            break;
++        if (GetValue2b(&i_tmp, p_peek, &i_skip, peek_size - i_skip, i_packet_property >> 2) < 0)
++            break;
++        if (GetValue2b(&i_replicated_data_length, p_peek, &i_skip, peek_size - i_skip, i_packet_property) < 0)
++            break;
+ 
+         if( i_replicated_data_length > 1 ) // should be at least 8 bytes
+         {
+@@ -553,7 +575,9 @@ static int DemuxPacket( demux_t *p_demux
+         i_pts = __MAX( i_pts - p_sys->p_fp->i_preroll * 1000, 0 );
+         if( b_packet_multiple_payload )
+         {
+-            GETVALUE2b( i_payload_length_type, i_payload_data_length, 0 );
++            i_payload_data_length = 0;
++            if (GetValue2b(&i_payload_data_length, p_peek, &i_skip, peek_size - i_skip, i_payload_length_type) < 0)
++                break;
+         }
+         else
+         {
+@@ -640,6 +664,7 @@ static int DemuxPacket( demux_t *p_demux
+                 return 0;
+             }
+             i_packet_size_left -= i_read;
++            peek_size = 0;
+ 
+             p_frag->p_buffer += i_skip;
+             p_frag->i_buffer -= i_skip;
+@@ -667,6 +692,7 @@ static int DemuxPacket( demux_t *p_demux
+                     msg_Warn( p_demux, "cannot peek, EOF ?" );
+                     return 0;
+                 }
++                peek_size = i_packet_size_left;
+             }
+         }
+     }