diff options
Diffstat (limited to 'multimedia/mplayer-share/patches/patch-ca')
-rw-r--r-- | multimedia/mplayer-share/patches/patch-ca | 61 |
1 files changed, 0 insertions, 61 deletions
diff --git a/multimedia/mplayer-share/patches/patch-ca b/multimedia/mplayer-share/patches/patch-ca deleted file mode 100644 index 9822526a14d..00000000000 --- a/multimedia/mplayer-share/patches/patch-ca +++ /dev/null @@ -1,61 +0,0 @@ -$NetBSD: patch-ca,v 1.1 2008/12/15 15:37:58 tron Exp $ - -Security fix for vulnerability reported in TKADV2008-014 taken from: - -http://svn.mplayerhq.hu/mplayer/branches/1.0rc2/libmpdemux/demux_vqf.c?view=patch&r1=24723&r2=28150&pathrev=28150 - ---- libmpdemux/demux_vqf.c.orig 2007-10-07 20:49:33.000000000 +0100 -+++ libmpdemux/demux_vqf.c 2008-12-15 14:29:58.000000000 +0000 -@@ -50,11 +50,14 @@ - unsigned chunk_size; - hi->size=chunk_size=stream_read_dword(s); /* include itself */ - stream_read(s,chunk_id,4); -+ if (chunk_size < 8) return NULL; -+ chunk_size -= 8; - if(*((uint32_t *)&chunk_id[0])==mmioFOURCC('C','O','M','M')) - { -- char buf[chunk_size-8]; -+ char buf[BUFSIZ]; - unsigned i,subchunk_size; -- if(stream_read(s,buf,chunk_size-8)!=chunk_size-8) return NULL; -+ if (chunk_size > sizeof(buf) || chunk_size < 20) return NULL; -+ if(stream_read(s,buf,chunk_size)!=chunk_size) return NULL; - i=0; - subchunk_size=be2me_32(*((uint32_t *)&buf[0])); - hi->channelMode=be2me_32(*((uint32_t *)&buf[4])); -@@ -83,13 +86,15 @@ - sh_audio->samplesize = 4; - w->wBitsPerSample = 8*sh_audio->samplesize; - w->cbSize = 0; -+ if (subchunk_size > chunk_size - 4) continue; - i+=subchunk_size+4; -- while(i<chunk_size-8) -+ while(i + 8 < chunk_size) - { - unsigned slen,sid; -- char sdata[chunk_size]; -+ char sdata[BUFSIZ]; - sid=*((uint32_t *)&buf[i]); i+=4; - slen=be2me_32(*((uint32_t *)&buf[i])); i+=4; -+ if (slen > sizeof(sdata) - 1 || slen > chunk_size - i) break; - if(sid==mmioFOURCC('D','S','I','Z')) - { - hi->Dsiz=be2me_32(*((uint32_t *)&buf[i])); -@@ -141,7 +146,7 @@ - if(*((uint32_t *)&chunk_id[0])==mmioFOURCC('D','A','T','A')) - { - demuxer->movi_start=stream_tell(s); -- demuxer->movi_end=demuxer->movi_start+chunk_size-8; -+ demuxer->movi_end=demuxer->movi_start+chunk_size; - mp_msg(MSGT_DEMUX, MSGL_V, "Found data at %"PRIX64" size %"PRIu64"\n",demuxer->movi_start,demuxer->movi_end); - /* Done! play it */ - break; -@@ -149,7 +154,7 @@ - else - { - mp_msg(MSGT_DEMUX, MSGL_V, "Unhandled chunk '%c%c%c%c' %u bytes\n",((char *)&chunk_id)[0],((char *)&chunk_id)[1],((char *)&chunk_id)[2],((char *)&chunk_id)[3],chunk_size); -- stream_skip(s,chunk_size-8); /*unknown chunk type */ -+ stream_skip(s,chunk_size); /*unknown chunk type */ - } - } - |