From 34bf5f505164696addf58553832150d3d06991bd Mon Sep 17 00:00:00 2001 From: drochner Date: Tue, 14 Aug 2007 21:41:06 +0000 Subject: fix the http header parsing buffer overflow, the same way as done in 1.62.2, bump PKGREVISION The reason I'm not updating to 1.62.2 yet is that it triggers problems with NetBSD's iconv(3) (WCHAR_T doesn't work), and that it doesn't create id3v1 tags anymore per default which many programs want. --- audio/streamripper/Makefile | 3 +- audio/streamripper/distinfo | 3 +- audio/streamripper/patches/patch-ab | 98 +++++++++++++++++++++++++++++++++++++ 3 files changed, 102 insertions(+), 2 deletions(-) create mode 100644 audio/streamripper/patches/patch-ab (limited to 'audio') diff --git a/audio/streamripper/Makefile b/audio/streamripper/Makefile index 204012d8fa5..688c3b0bdc1 100644 --- a/audio/streamripper/Makefile +++ b/audio/streamripper/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.4 2006/12/14 08:09:16 minskim Exp $ +# $NetBSD: Makefile,v 1.5 2007/08/14 21:41:06 drochner Exp $ # DISTNAME= streamripper-1.61.27 +PKGREVISION= 1 CATEGORIES= audio MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=streamripper/} diff --git a/audio/streamripper/distinfo b/audio/streamripper/distinfo index 26b2130eaee..43c036edd7b 100644 --- a/audio/streamripper/distinfo +++ b/audio/streamripper/distinfo @@ -1,6 +1,7 @@ -$NetBSD: distinfo,v 1.2 2006/12/12 20:27:15 wiz Exp $ +$NetBSD: distinfo,v 1.3 2007/08/14 21:41:06 drochner Exp $ SHA1 (streamripper-1.61.27.tar.gz) = bdbf0e301c3c783e1f13c2977508afd5076328ad RMD160 (streamripper-1.61.27.tar.gz) = 14b55b91e3b995515d6978383f9fc618fe92bbcb Size (streamripper-1.61.27.tar.gz) = 1227559 bytes SHA1 (patch-aa) = 1150430aa345f78c58d7a207433947a4241ecf29 +SHA1 (patch-ab) = d1fc536498e0216eec469da7f89d4b1712082e0f diff --git a/audio/streamripper/patches/patch-ab b/audio/streamripper/patches/patch-ab new file mode 100644 index 00000000000..7ebb04e1878 --- /dev/null +++ b/audio/streamripper/patches/patch-ab @@ -0,0 +1,98 @@ +$NetBSD: patch-ab,v 1.1 2007/08/14 21:41:06 drochner Exp $ + +--- lib/http.c.orig 2006-08-25 04:01:49.000000000 +0200 ++++ lib/http.c +@@ -258,11 +258,11 @@ httplib_construct_page_request (const ch + + /* Return 1 if a match was found, 0 if not found */ + int +-extract_header_value (char *header, char *dest, char *match) ++extract_header_value (char *header, char *dest, char *match, int maxlen) + { + char* start = (char *)strstr(header, match); + if (start) { +- subnstr_until(start+strlen(match), "\n", dest, MAX_ICY_STRING); ++ subnstr_until(start+strlen(match), "\n", dest, maxlen); + return 1; + } else { + return 0; +@@ -321,24 +321,32 @@ httplib_parse_sc_header (const char *url + } + + // read generic headers +- extract_header_value(header, info->http_location, "Location:"); +- extract_header_value(header, info->server, "Server:"); +- rc = extract_header_value(header, info->icy_name, "icy-name:"); ++ extract_header_value(header, info->http_location, "Location:", ++ sizeof(info->http_location)); ++ extract_header_value(header, info->server, "Server:", ++ sizeof(info->server)); ++ rc = extract_header_value(header, info->icy_name, "icy-name:", ++ sizeof(info->icy_name)); + if (rc == 0) { + /* Icecast 2.0.1 */ +- rc = extract_header_value(header, info->icy_name, "ice-name:"); ++ rc = extract_header_value(header, info->icy_name, "ice-name:", ++ sizeof(info->icy_name)); + } + info->have_icy_name = rc; +- extract_header_value(header, info->icy_url, "icy-url:"); +- rc = extract_header_value(header, stempbr, "icy-br:"); ++ extract_header_value(header, info->icy_url, "icy-url:", ++ sizeof(info->icy_url)); ++ rc = extract_header_value(header, stempbr, ++ "icy-br:", sizeof(stempbr)); + if (rc) { + info->icy_bitrate = atoi(stempbr); + } + + /* interpret the content type from http header */ +- rc = extract_header_value(header, stempbr, "Content-Type:"); ++ rc = extract_header_value(header, stempbr, ++ "Content-Type:", sizeof(stempbr)); + if (rc == 0) { +- rc = extract_header_value(header, stempbr, "content-type:"); ++ rc = extract_header_value(header, stempbr, ++ "content-type:", sizeof(stempbr)); + } + if (rc == 0) { + info->content_type = CONTENT_TYPE_UNKNOWN; +@@ -418,11 +426,15 @@ httplib_parse_sc_header (const char *url + } + + // icecast 1.x headers. +- extract_header_value(header, info->icy_url, "x-audiocast-server-url:"); +- rc = extract_header_value(header, info->icy_name, "x-audiocast-name:"); ++ extract_header_value(header, info->icy_url, "x-audiocast-server-url:", ++ sizeof(info->icy_url)); ++ rc = extract_header_value(header, info->icy_name, "x-audiocast-name:", ++ sizeof(info->icy_name)); + info->have_icy_name |= rc; +- extract_header_value(header, info->icy_genre, "x-audiocast-genre:"); +- rc = extract_header_value(header, stempbr, "x-audiocast-bitrate:"); ++ extract_header_value(header, info->icy_genre, "x-audiocast-genre:", ++ sizeof(info->icy_genre)); ++ rc = extract_header_value(header, stempbr, "x-audiocast-bitrate:", ++ sizeof(stempbr)); + if (rc) { + info->icy_bitrate = atoi(stempbr); + } +@@ -626,7 +638,8 @@ httplib_get_pls (HSOCKET *sock, SR_HTTP_ + int best_open = 0; + + sprintf (buf1, "File%d=", s); +- if (!extract_header_value (buf, location_buf, buf1)) { ++ if (!extract_header_value (buf, location_buf, buf1, ++ sizeof(location_buf))) { + break; + } + if (s == 1) { +@@ -635,7 +648,7 @@ httplib_get_pls (HSOCKET *sock, SR_HTTP_ + } + + sprintf (buf1, "Title%d=", s); +- if (!extract_header_value (buf, title_buf, buf1)) { ++ if (!extract_header_value (buf, title_buf, buf1, sizeof(title_buf))) { + break; + } + num_scanned = sscanf (title_buf, "(#%*[0-9] - %d/%d",&used,&total); -- cgit v1.2.3