[pkgsrc/trunk]: pkgsrc/multimedia/xine-lib add patch from upstream to fix a b...

[drochner <drochner%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/6e28c66359b9
branches:  trunk
changeset: 539989:6e28c66359b9
user:      drochner <drochner%pkgsrc.org@localhost>
date:      Wed Mar 19 16:09:35 2008 +0000

description:
add patch from upstream to fix a buffer overflow in the SDP parser
(CVE-2008-0073)
bump PKGREVISION

diffstat:

 multimedia/xine-lib/Makefile         |   4 +-
 multimedia/xine-lib/distinfo         |   4 +-
 multimedia/xine-lib/patches/patch-ga |  59 ++++++++++++++++++++++++++++++++++++
 multimedia/xine-lib/patches/patch-gb |  22 +++++++++++++
 4 files changed, 86 insertions(+), 3 deletions(-)

diffs (119 lines):

diff -r c06ee81cb5ed -r 6e28c66359b9 multimedia/xine-lib/Makefile
--- a/multimedia/xine-lib/Makefile      Wed Mar 19 15:33:12 2008 +0000
+++ b/multimedia/xine-lib/Makefile      Wed Mar 19 16:09:35 2008 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.55 2008/02/11 15:03:18 tnn Exp $
+# $NetBSD: Makefile,v 1.56 2008/03/19 16:09:35 drochner Exp $
 
 .include "Makefile.common"
 
 COMMENT=               Multimedia player library
-PKGREVISION=           1
+PKGREVISION=           2
 
 BUILDLINK_API_DEPENDS.vcdimager+= vcdimager>=0.7.20nb1
 
diff -r c06ee81cb5ed -r 6e28c66359b9 multimedia/xine-lib/distinfo
--- a/multimedia/xine-lib/distinfo      Wed Mar 19 15:33:12 2008 +0000
+++ b/multimedia/xine-lib/distinfo      Wed Mar 19 16:09:35 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.51 2008/02/08 17:43:06 drochner Exp $
+$NetBSD: distinfo,v 1.52 2008/03/19 16:09:35 drochner Exp $
 
 SHA1 (xine-lib-1.1.10.1.tar.bz2) = d77747206d19b48fd11a1dc36f3ac5ad3526c415
 RMD160 (xine-lib-1.1.10.1.tar.bz2) = 4b2b67c85dad8e35dfa9352c39d2bb6cd1ecb4b1
@@ -30,3 +30,5 @@
 SHA1 (patch-eb) = b65e2c7c30fc04115d55da1ce1f6f65216ac1d23
 SHA1 (patch-ee) = 49efc9d722f2141e88106d87414586ab80e4f5a9
 SHA1 (patch-fa) = a69fe09588596bfc3d74fad29e5a1aeeeead4dfd
+SHA1 (patch-ga) = 296bb0f539f1a257df9f64331e8d62a8178f4077
+SHA1 (patch-gb) = 090436cd93c4b8f5fd6e4c1d313e69f9d49bd6c3
diff -r c06ee81cb5ed -r 6e28c66359b9 multimedia/xine-lib/patches/patch-ga
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/multimedia/xine-lib/patches/patch-ga      Wed Mar 19 16:09:35 2008 +0000
@@ -0,0 +1,59 @@
+$NetBSD: patch-ga,v 1.3 2008/03/19 16:09:35 drochner Exp $
+
+--- src/input/libreal/sdpplin.c.orig   2008-03-19 16:33:16.000000000 +0100
++++ src/input/libreal/sdpplin.c
+@@ -143,7 +143,14 @@ static sdpplin_stream_t *sdpplin_parse_s
+     handled=0;
+     
+     if(filter(*data,"a=control:streamid=",&buf)) {
+-      desc->stream_id=atoi(buf);
++      /* This way negative values are mapped to unfeasibly high
++       * values, and will be discarded afterward
++       */
++      unsigned long tmp = strtoul(buf, NULL, 10);
++      if ( tmp > UINT16_MAX )
++      lprintf("stream id out of bound: %lu\n", tmp);
++      else
++      desc->stream_id=tmp;
+       handled=1;
+       *data=nl(*data);
+     }
+@@ -199,7 +206,7 @@ static sdpplin_stream_t *sdpplin_parse_s
+     if(filter(*data,"a=OpaqueData:buffer;",&buf)) {
+       decoded = b64_decode(buf, decoded, &(desc->mlti_data_size));
+       if ( decoded != NULL ) {
+-      desc->mlti_data = malloc(sizeof(char)*desc->mlti_data_size);
++      desc->mlti_data = calloc(desc->mlti_data_size, sizeof(char));
+       memcpy(desc->mlti_data, decoded, desc->mlti_data_size);
+       handled=1;
+       *data=nl(*data);
+@@ -252,7 +259,10 @@ sdpplin_t *sdpplin_parse(char *data) {
+       }
+       stream=sdpplin_parse_stream(&data);
+       lprintf("got data for stream id %u\n", stream->stream_id);
+-      desc->stream[stream->stream_id]=stream;
++      if ( stream->stream_id >= desc->stream_count )
++      lprintf("stream id %u is greater than stream count %u\n", stream->stream_id, desc->stream_count);
++      else
++      desc->stream[stream->stream_id]=stream;
+       continue;
+     }
+ 
+@@ -293,8 +303,15 @@ sdpplin_t *sdpplin_parse(char *data) {
+     }
+     
+     if(filter(data,"a=StreamCount:integer;",&buf)) {
+-      desc->stream_count=atoi(buf);
+-      desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count);
++      /* This way negative values are mapped to unfeasibly high
++       * values, and will be discarded afterward
++       */
++      unsigned long tmp = strtoul(buf, NULL, 10);
++      if ( tmp > UINT16_MAX )
++      lprintf("stream count out of bound: %lu\n", tmp);
++      else
++      desc->stream_count = tmp;
++      desc->stream = calloc(desc->stream_count, sizeof(sdpplin_stream_t*));
+       handled=1;
+       data=nl(data);
+     }
diff -r c06ee81cb5ed -r 6e28c66359b9 multimedia/xine-lib/patches/patch-gb
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/multimedia/xine-lib/patches/patch-gb      Wed Mar 19 16:09:35 2008 +0000
@@ -0,0 +1,22 @@
+$NetBSD: patch-gb,v 1.3 2008/03/19 16:09:35 drochner Exp $
+
+--- src/input/libreal/sdpplin.h.orig   2008-01-23 06:11:52.000000000 +0100
++++ src/input/libreal/sdpplin.h
+@@ -37,7 +37,7 @@ typedef struct {
+   char *id;
+   char *bandwidth;
+ 
+-  int stream_id;
++  uint16_t stream_id;
+   char *range;
+   char *length;
+   char *rtpmap;
+@@ -81,7 +81,7 @@ typedef struct {
+ 
+   int flags;
+   int is_real_data_type;
+-  int stream_count;
++  uint16_t stream_count;
+   char *title;
+   char *author;
+   char *copyright;