[pkgsrc/trunk]: pkgsrc/audio/amarok Fix security problem:

[wiz <wiz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/52566e13d0f3
branches:  trunk
changeset: 552942:52566e13d0f3
user:      wiz <wiz%pkgsrc.org@localhost>
date:      Mon Jan 12 12:33:39 2009 +0000

description:
Fix security problem:
* Fix possible buffer overflows when parsing Audible .aa files.

Bump PKGREVISION.

diffstat:

 audio/amarok/Makefile         |   3 +-
 audio/amarok/distinfo         |   3 +-
 audio/amarok/patches/patch-ad |  89 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 93 insertions(+), 2 deletions(-)

diffs (119 lines):

diff -r 4a814fb79d3c -r 52566e13d0f3 audio/amarok/Makefile
--- a/audio/amarok/Makefile     Mon Jan 12 12:23:07 2009 +0000
+++ b/audio/amarok/Makefile     Mon Jan 12 12:33:39 2009 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.68 2009/01/08 11:43:36 shattered Exp $
+# $NetBSD: Makefile,v 1.69 2009/01/12 12:33:39 wiz Exp $
 
 DISTNAME=              amarok-${VERSION}
 VERSION=               1.4.10
+PKGREVISION=           1
 CATEGORIES=            audio kde
 MASTER_SITES=          ${MASTER_SITE_KDE:=amarok/${VERSION}/src/}
 EXTRACT_SUFX=          .tar.bz2
diff -r 4a814fb79d3c -r 52566e13d0f3 audio/amarok/distinfo
--- a/audio/amarok/distinfo     Mon Jan 12 12:23:07 2009 +0000
+++ b/audio/amarok/distinfo     Mon Jan 12 12:33:39 2009 +0000
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.35 2008/09/22 05:35:20 wiz Exp $
+$NetBSD: distinfo,v 1.36 2009/01/12 12:33:39 wiz Exp $
 
 SHA1 (amarok-1.4.10.tar.bz2) = cb0bebe99c6f4dc1b01601f2f3aee3a86da08fbd
 RMD160 (amarok-1.4.10.tar.bz2) = f86c71dd0459e0cf1ff586cd6de240ca6501cf62
 Size (amarok-1.4.10.tar.bz2) = 12812583 bytes
 SHA1 (patch-aa) = 53316f334f45a8a4780ae71061d528374a75cb5a
 SHA1 (patch-ab) = 91097c1d901fb66c5c8e593005c462b1874f50bf
+SHA1 (patch-ad) = eea8105897ce4cd9d4a086430ec0588125b3517b
diff -r 4a814fb79d3c -r 52566e13d0f3 audio/amarok/patches/patch-ad
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/audio/amarok/patches/patch-ad     Mon Jan 12 12:33:39 2009 +0000
@@ -0,0 +1,89 @@
+$NetBSD: patch-ad,v 1.1 2009/01/12 12:33:40 wiz Exp $
+
+Security fix, SVN r908415 from upstream 1.4.x branch.
+
+--- amarok/src/metadata/audible/audibletag.cpp.orig    2008-08-13 23:21:51.000000000 +0200
++++ amarok/src/metadata/audible/audibletag.cpp
+@@ -71,7 +71,8 @@ void Audible::Tag::readTags( FILE *fp )
+ {
+     char buf[1023];
+     fseek(fp, OFF_PRODUCT_ID, SEEK_SET);
+-    fread(buf, strlen("product_id"), 1, fp);
++    if (fread(buf, strlen("product_id"), 1, fp) != 1)
++        return;
+     if(memcmp(buf, "product_id", strlen("product_id")))
+     {
+         buf[20]='\0';
+@@ -130,24 +131,65 @@ void Audible::Tag::readTags( FILE *fp )
+ 
+ bool Audible::Tag::readTag( FILE *fp, char **name, char **value)
+ {
++    // arbitrary value that has to be smaller than 2^32-1 and that should be large enough for all tags                                                                                         
++    const uint32_t maxtaglen = 100000;    
++
+     uint32_t nlen;
+-    fread(&nlen, sizeof(nlen), 1, fp);
++    if (fread(&nlen, sizeof(nlen), 1, fp) != 1)
++        return false;
+     nlen = ntohl(nlen);
+     //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen);
+-    *name = new char[nlen+1];
+-    (*name)[nlen] = '\0';
++    if (nlen > maxtaglen)
++        return false;
+ 
+     uint32_t vlen;
+-    fread(&vlen, sizeof(vlen), 1, fp);
++    if (fread(&vlen, sizeof(vlen), 1, fp) != 1)
++        return false;
+     vlen = ntohl(vlen);
+     //fprintf(stderr, "tag len=%x\n", (unsigned)vlen);
++    if (vlen > maxtaglen)
++        return false;
++
++    *name = new char[nlen+1];
++    if (!*name)
++        return false;
++        
+     *value = new char[vlen+1];
++    if (!*value)
++    {
++        delete[] *name;
++        *name = 0;
++        return false;
++    }
++
++    (*name)[nlen] = '\0';
+     (*value)[vlen] = '\0';
+ 
+-    fread(*name, nlen, 1, fp);
+-    fread(*value, vlen, 1, fp);
++    if (fread(*name, nlen, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
++    if (fread(*value, vlen, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
+     char lasttag;
+-    fread(&lasttag, 1, 1, fp);
++    if (fread(&lasttag, 1, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
+     //fprintf(stderr, "%s: \"%s\"\n", *name, *value);
+ 
+     m_tagsEndOffset += 2 * 4 + nlen + vlen + 1;