From 8450e94457827a40502c64ea28829e4780cf3739 Mon Sep 17 00:00:00 2001 From: tron Date: Thu, 4 Sep 2008 21:01:44 +0000 Subject: Pullup ticket #2515 - requested by tonnerre ffmpeg: security patch Revisions pulled up: - multimedia/ffmpeg/Makefile 1.36 - multimedia/ffmpeg/distinfo 1.15 - multimedia/ffmpeg/patches/patch-al 1.1 --- Module Name: pkgsrc Committed By: tonnerre Date: Mon Sep 1 00:00:10 UTC 2008 Modified Files: pkgsrc/multimedia/ffmpeg: Makefile distinfo Added Files: pkgsrc/multimedia/ffmpeg/patches: patch-al Log Message: Add patch to fix ffmpeg remote system access vulnerability (CVE-2008-3162). --- multimedia/ffmpeg/Makefile | 4 +-- multimedia/ffmpeg/distinfo | 3 ++- multimedia/ffmpeg/patches/patch-al | 52 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 56 insertions(+), 3 deletions(-) create mode 100644 multimedia/ffmpeg/patches/patch-al diff --git a/multimedia/ffmpeg/Makefile b/multimedia/ffmpeg/Makefile index 01eb448b37f..9f15b2d150a 100644 --- a/multimedia/ffmpeg/Makefile +++ b/multimedia/ffmpeg/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.35 2008/01/22 22:51:45 jdc Exp $ +# $NetBSD: Makefile,v 1.35.6.1 2008/09/04 21:01:44 tron Exp $ DISTNAME= ffmpeg-0.4.9-pre1 PKGNAME= ffmpeg-0.4.9pre1 -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= multimedia MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=ffmpeg/} diff --git a/multimedia/ffmpeg/distinfo b/multimedia/ffmpeg/distinfo index b5b07317ed5..27b2bf70ead 100644 --- a/multimedia/ffmpeg/distinfo +++ b/multimedia/ffmpeg/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.14 2007/12/22 00:05:25 joerg Exp $ +$NetBSD: distinfo,v 1.14.8.1 2008/09/04 21:01:44 tron Exp $ SHA1 (ffmpeg-0.4.9-pre1.tar.gz) = aad00445137520bec19e56bcb042e75a10c53bb3 RMD160 (ffmpeg-0.4.9-pre1.tar.gz) = fd682846f97ada32951af7844e185c42783189a4 @@ -14,5 +14,6 @@ SHA1 (patch-ah) = 3b600dd8d5bc0d4363139cea0ba8338691d8fa75 SHA1 (patch-ai) = fe1bbecd05f2eef812650efa83223a3b6417ed6a SHA1 (patch-aj) = b998fdc2b3cc5f6efd2fb4f12fbb630d5832004b SHA1 (patch-ak) = 564d7d55372281909f70c63c6a72eb7d97afd99d +SHA1 (patch-al) = d418bf4af796f1e3b829ceab19ddde94a0ca8ec4 SHA1 (patch-an) = 3e2327f2a30571daf82edd67128c63845819224e SHA1 (patch-ao) = f1e8f504a951ab02d70aae083862414b32d8b55a diff --git a/multimedia/ffmpeg/patches/patch-al b/multimedia/ffmpeg/patches/patch-al new file mode 100644 index 00000000000..595437a3b0e --- /dev/null +++ b/multimedia/ffmpeg/patches/patch-al @@ -0,0 +1,52 @@ +$NetBSD: patch-al,v 1.1.2.2 2008/09/04 21:01:44 tron Exp $ + +--- libavformat/psxstr.c.orig 2004-06-19 05:59:34.000000000 +0200 ++++ libavformat/psxstr.c +@@ -273,12 +273,21 @@ static int str_read_packet(AVFormatConte + int current_sector = LE_16(§or[0x1C]); + int sector_count = LE_16(§or[0x1E]); + int frame_size = LE_32(§or[0x24]); +- int bytes_to_copy; ++ ++ if(!( frame_size>=0 ++ && current_sector < sector_count ++ && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){ ++ av_log(s, AV_LOG_ERROR, "Invalid parameters %d %d %d\n", current_sector, sector_count, frame_size); ++ return AVERROR_INVALIDDATA; ++ } + // printf("%d %d %d\n",current_sector,sector_count,frame_size); + /* if this is the first sector of the frame, allocate a pkt */ + pkt = &str->tmp_pkt; +- if (current_sector == 0) { +- if (av_new_packet(pkt, frame_size)) ++ if (pkt->size != sector_count*VIDEO_DATA_CHUNK_SIZE){ ++ if(pkt->data) ++ av_log(s, AV_LOG_ERROR, "missmatching sector_count\n"); ++ av_free_packet(pkt); ++ if (av_new_packet(pkt, sector_count*VIDEO_DATA_CHUNK_SIZE)) + return AVERROR_IO; + + pkt->stream_index = +@@ -291,15 +300,15 @@ static int str_read_packet(AVFormatConte + str->pts += (90000 / 15); + } + +- /* load all the constituent chunks in the video packet */ +- bytes_to_copy = frame_size - current_sector*VIDEO_DATA_CHUNK_SIZE; +- if (bytes_to_copy>0) { +- if (bytes_to_copy>VIDEO_DATA_CHUNK_SIZE) bytes_to_copy=VIDEO_DATA_CHUNK_SIZE; +- memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE, +- sector + VIDEO_DATA_HEADER_SIZE, bytes_to_copy); +- } ++ memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE, ++ sector + VIDEO_DATA_HEADER_SIZE, ++ VIDEO_DATA_CHUNK_SIZE); ++ + if (current_sector == sector_count-1) { ++ pkt->size= frame_size; + *ret_pkt = *pkt; ++ pkt->data= NULL; ++ pkt->size= -1; + return 0; + } + -- cgit v1.2.3