From 497cc0cdd9143c5306dc39e519ef579d3dca8a65 Mon Sep 17 00:00:00 2001 From: drochner Date: Mon, 2 Feb 2009 19:20:48 +0000 Subject: -add a patch from upstream to fix CVE-2008-3162 (stack-based buffer overflow in the str_read_packet function in libavformat/psxstr.c) -add (a modified version of) the ffmpeg 4xm patch which fixes possible memory corruption bump PKGREVISION --- multimedia/mplayer-share/distinfo | 4 ++- multimedia/mplayer-share/patches/patch-ap | 54 +++++++++++++++++++++++++++++++ multimedia/mplayer-share/patches/patch-aq | 20 ++++++++++++ multimedia/mplayer/Makefile | 4 +-- 4 files changed, 79 insertions(+), 3 deletions(-) create mode 100644 multimedia/mplayer-share/patches/patch-ap create mode 100644 multimedia/mplayer-share/patches/patch-aq diff --git a/multimedia/mplayer-share/distinfo b/multimedia/mplayer-share/distinfo index 67647e0ceb7..fd3685277c7 100644 --- a/multimedia/mplayer-share/distinfo +++ b/multimedia/mplayer-share/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.58 2008/12/20 00:43:47 jmcneill Exp $ +$NetBSD: distinfo,v 1.59 2009/02/02 19:20:48 drochner Exp $ SHA1 (mplayer-1.0rc10/MPlayer-1.0rc2.tar.bz2) = e9b496f3527c552004ec6d01d6b43f196b43ce2d RMD160 (mplayer-1.0rc10/MPlayer-1.0rc2.tar.bz2) = 3b5cba1529856a177a5191e22f8dcc00b5a83c52 @@ -18,6 +18,8 @@ SHA1 (patch-al) = 9538b10cf5b3802381d7aabc798676b3cb9ef00d SHA1 (patch-am) = bae1e03f7265cb6b07947f052f0774d1c17da88e SHA1 (patch-an) = a967a47b0d0846fe89f91f9d3faa6055975a5a73 SHA1 (patch-ao) = ddd85a9bfda237ea923faf0c3677b5e14cff4e0d +SHA1 (patch-ap) = 83777bac06190f71078435721ad2f7055689f64f +SHA1 (patch-aq) = 8d77f3fbe5796707f591e0890b54b9f34f649709 SHA1 (patch-ba) = 2683c414fed3a4a6d3b4d47287f43d822339bd4e SHA1 (patch-bb) = 26d000bcbc94b9139e6dbc79237fdb3a109c6057 SHA1 (patch-bc) = fd46ce3cd6d5f7525e210cf6d475b89573ca988d diff --git a/multimedia/mplayer-share/patches/patch-ap b/multimedia/mplayer-share/patches/patch-ap new file mode 100644 index 00000000000..ba49c896e34 --- /dev/null +++ b/multimedia/mplayer-share/patches/patch-ap @@ -0,0 +1,54 @@ +$NetBSD: patch-ap,v 1.1 2009/02/02 19:20:49 drochner Exp $ + +--- libavformat/psxstr.c.orig 2007-10-07 21:49:38.000000000 +0200 ++++ libavformat/psxstr.c +@@ -276,12 +276,23 @@ static int str_read_packet(AVFormatConte + int current_sector = AV_RL16(§or[0x1C]); + int sector_count = AV_RL16(§or[0x1E]); + int frame_size = AV_RL32(§or[0x24]); +- int bytes_to_copy; ++ ++ if(!( frame_size>=0 ++ && current_sector < sector_count ++ && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){ ++ av_log(s, AV_LOG_ERROR, "Invalid parameters %d %d %d\n", current_sector, sector_count, frame_size); ++ return AVERROR_INVALIDDATA; ++ } ++ + // printf("%d %d %d\n",current_sector,sector_count,frame_size); + /* if this is the first sector of the frame, allocate a pkt */ + pkt = &str->tmp_pkt; +- if (current_sector == 0) { +- if (av_new_packet(pkt, frame_size)) ++ ++ if(pkt->size != sector_count*VIDEO_DATA_CHUNK_SIZE){ ++ if(pkt->data) ++ av_log(s, AV_LOG_ERROR, "missmatching sector_count\n"); ++ av_free_packet(pkt); ++ if (av_new_packet(pkt, sector_count*VIDEO_DATA_CHUNK_SIZE)) + return AVERROR(EIO); + + pkt->pos= url_ftell(pb) - RAW_CD_SECTOR_SIZE; +@@ -295,15 +306,15 @@ static int str_read_packet(AVFormatConte + str->pts += (90000 / 15); + } + +- /* load all the constituent chunks in the video packet */ +- bytes_to_copy = frame_size - current_sector*VIDEO_DATA_CHUNK_SIZE; +- if (bytes_to_copy>0) { +- if (bytes_to_copy>VIDEO_DATA_CHUNK_SIZE) bytes_to_copy=VIDEO_DATA_CHUNK_SIZE; +- memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE, +- sector + VIDEO_DATA_HEADER_SIZE, bytes_to_copy); +- } ++ memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE, ++ sector + VIDEO_DATA_HEADER_SIZE, ++ VIDEO_DATA_CHUNK_SIZE); ++ + if (current_sector == sector_count-1) { ++ pkt->size= frame_size; + *ret_pkt = *pkt; ++ pkt->data= NULL; ++ pkt->size= -1; + return 0; + } + diff --git a/multimedia/mplayer-share/patches/patch-aq b/multimedia/mplayer-share/patches/patch-aq new file mode 100644 index 00000000000..bd6c6e720fe --- /dev/null +++ b/multimedia/mplayer-share/patches/patch-aq @@ -0,0 +1,20 @@ +$NetBSD: patch-aq,v 1.1 2009/02/02 19:20:49 drochner Exp $ + +--- libavformat/4xm.c.orig 2009-01-29 13:36:59.000000000 +0100 ++++ libavformat/4xm.c +@@ -163,10 +163,13 @@ static int fourxm_read_header(AVFormatCo + return AVERROR_INVALIDDATA; + } + current_track = AV_RL32(&header[i + 8]); ++ if((unsigned)current_track >= UINT_MAX / sizeof(AudioTrack) - 1){ ++ av_log(s, AV_LOG_ERROR, "current_track too large\n"); ++ av_free(header); ++ return AVERROR_INVALIDDATA; ++ } + if (current_track + 1 > fourxm->track_count) { + fourxm->track_count = current_track + 1; +- if((unsigned)fourxm->track_count >= UINT_MAX / sizeof(AudioTrack)) +- return -1; + fourxm->tracks = av_realloc(fourxm->tracks, + fourxm->track_count * sizeof(AudioTrack)); + if (!fourxm->tracks) { diff --git a/multimedia/mplayer/Makefile b/multimedia/mplayer/Makefile index 2ae94d3e4db..c427328a978 100644 --- a/multimedia/mplayer/Makefile +++ b/multimedia/mplayer/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.65 2008/12/20 00:44:46 jmcneill Exp $ +# $NetBSD: Makefile,v 1.66 2009/02/02 19:20:48 drochner Exp $ PKGNAME= mplayer-${MPLAYER_PKG_VERSION} -PKGREVISION= 12 +PKGREVISION= 13 COMMENT= Software-only MPEG-1/2/4 video decoder -- cgit v1.2.3