From f9464b4b80edd2641fad41520159824595f38af8 Mon Sep 17 00:00:00 2001 From: bsiegert Date: Sat, 21 Mar 2015 19:06:54 +0000 Subject: SECURITY: Fix CVE-2014-9640. https://trac.xiph.org/changeset/19117 oggenc: fix crash on raw file close, reported by Hanno in issue #2009. pointer to a non-static struct was escaping its scope. --- audio/vorbis-tools/Makefile | 4 ++-- audio/vorbis-tools/distinfo | 4 ++-- audio/vorbis-tools/patches/patch-ac | 32 +++++++++++++++++++++++++++----- 3 files changed, 31 insertions(+), 9 deletions(-) diff --git a/audio/vorbis-tools/Makefile b/audio/vorbis-tools/Makefile index 5b6ba4a3e49..837bb4bd406 100644 --- a/audio/vorbis-tools/Makefile +++ b/audio/vorbis-tools/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.60 2014/02/12 23:17:35 tron Exp $ +# $NetBSD: Makefile,v 1.61 2015/03/21 19:06:54 bsiegert Exp $ DISTNAME= vorbis-tools-1.4.0 -PKGREVISION= 4 +PKGREVISION= 5 CATEGORIES= audio MASTER_SITES= http://downloads.xiph.org/releases/vorbis/ diff --git a/audio/vorbis-tools/distinfo b/audio/vorbis-tools/distinfo index e8d7e20f268..f305dd93a01 100644 --- a/audio/vorbis-tools/distinfo +++ b/audio/vorbis-tools/distinfo @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.23 2010/11/09 13:13:03 adam Exp $ +$NetBSD: distinfo,v 1.24 2015/03/21 19:06:54 bsiegert Exp $ SHA1 (vorbis-tools-1.4.0.tar.gz) = fc6a820bdb5ad6fcac074721fab5c3f96eaf6562 RMD160 (vorbis-tools-1.4.0.tar.gz) = ff21e5c9456ac0a82b8eda4e53931db8522a2ccd Size (vorbis-tools-1.4.0.tar.gz) = 1346532 bytes SHA1 (patch-aa) = ea37946fb3a227d91eeb3ea94a9a7c9f8a3ef021 SHA1 (patch-ab) = 00c0a5a9388baf79fd944e12cda1da65e2e8676c -SHA1 (patch-ac) = 43f270b53044c54cf682ee084fa29592cf2b0eeb +SHA1 (patch-ac) = 781ad97014c81f9fd40166cc29112247ef4acd6d SHA1 (patch-ae) = 60ca36c35325e4228ea7f7f5b3a60cd57b56b0cd diff --git a/audio/vorbis-tools/patches/patch-ac b/audio/vorbis-tools/patches/patch-ac index b287c548d0a..11971b408ab 100644 --- a/audio/vorbis-tools/patches/patch-ac +++ b/audio/vorbis-tools/patches/patch-ac @@ -1,8 +1,30 @@ -$NetBSD: patch-ac,v 1.9 2010/11/09 13:13:03 adam Exp $ +$NetBSD: patch-ac,v 1.10 2015/03/21 19:06:54 bsiegert Exp $ +https://trac.xiph.org/changeset/19117 +oggenc: fix crash on raw file close, reported by Hanno in issue #2009. pointer +to a non-static struct was escaping its scope. --- oggenc/oggenc.c.orig 2010-03-26 07:07:07.000000000 +0000 +++ oggenc/oggenc.c -@@ -779,6 +779,8 @@ static void parse_options(int argc, char +@@ -97,6 +97,8 @@ int main(int argc, char **argv) + .3,-1, + 0,0,0.f, + 0, 0, 0, 0, 0}; ++ input_format raw_format = {NULL, 0, raw_open, wav_close, "raw", ++ N_("RAW file reader")}; + + int i; + +@@ -239,9 +241,6 @@ int main(int argc, char **argv) + + if(opt.rawmode) + { +- input_format raw_format = {NULL, 0, raw_open, wav_close, "raw", +- N_("RAW file reader")}; +- + enc_opts.rate=opt.raw_samplerate; + enc_opts.channels=opt.raw_channels; + enc_opts.samplesize=opt.raw_samplesize; +@@ -779,6 +778,8 @@ static void parse_options(int argc, char break; case 'a': @@ -11,7 +33,7 @@ $NetBSD: patch-ac,v 1.9 2010/11/09 13:13:03 adam Exp $ opt->artist = realloc(opt->artist, (++opt->artist_count)*sizeof(char *)); opt->artist[opt->artist_count - 1] = strdup(optarg); break; -@@ -791,10 +793,14 @@ static void parse_options(int argc, char +@@ -791,10 +792,14 @@ static void parse_options(int argc, char opt->comments[opt->comment_count - 1] = strdup(optarg); break; case 'd': @@ -26,7 +48,7 @@ $NetBSD: patch-ac,v 1.9 2010/11/09 13:13:03 adam Exp $ opt->genre = realloc(opt->genre, (++opt->genre_count)*sizeof(char *)); opt->genre[opt->genre_count - 1] = strdup(optarg); break; -@@ -803,6 +809,8 @@ static void parse_options(int argc, char +@@ -803,6 +808,8 @@ static void parse_options(int argc, char exit(0); break; case 'l': @@ -35,7 +57,7 @@ $NetBSD: patch-ac,v 1.9 2010/11/09 13:13:03 adam Exp $ opt->album = realloc(opt->album, (++opt->album_count)*sizeof(char *)); opt->album[opt->album_count - 1] = strdup(optarg); break; -@@ -815,6 +823,8 @@ static void parse_options(int argc, char +@@ -815,6 +822,8 @@ static void parse_options(int argc, char opt->fixedserial = 1; break; case 't': -- cgit v1.2.3