- SECURITY FIX for SA35205

(GStreamer Good Plug-ins PNG Processing Integer Overflow Vulnerability) patch from upstream git ok ajacoutot@
2009-06-03 20:24:31 +00:00 · 2009-06-03 20:24:31 +00:00 · 55a93da197
commit 55a93da197
parent 234ce54993
2 changed files with 57 additions and 3 deletions
--- a/multimedia/gstreamer-0.10/plugins-good/Makefile
+++ b/multimedia/gstreamer-0.10/plugins-good/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.39 2009/04/11 14:37:21 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.40 2009/06/03 20:24:31 jasper Exp $

 COMMENT-main =		multimedia framework - good plugins
 COMMENT-aalib =		multimedia framework - aalib plugin
@ -19,7 +19,7 @@ COMMENT-wavpack =	multimedia framework - wavpack plugin

 V =			0.10.8
 DISTNAME =		gst-plugins-good-$V
-PKGNAME-main =		gstreamer-plugins-good-$Vp11v0
+PKGNAME-main =		gstreamer-plugins-good-$Vp12v0
 PKGNAME-aalib =		gstreamer-aalib-$Vp2
 PKGNAME-cairo =		gstreamer-cairo-$Vp3
 PKGNAME-gconf =		gstreamer-confelements-$Vp4
@ -29,7 +29,7 @@ PKGNAME-speex =		gstreamer-speex-$Vp2
 PKGNAME-taglib =	gstreamer-taglib-$Vp2
 PKGNAME-dv =		gstreamer-dv-$Vp2
 PKGNAME-jpeg =		gstreamer-jpeg-$Vp2
-PKGNAME-png =		gstreamer-png-$Vp2
+PKGNAME-png =		gstreamer-png-$Vp3
 PKGNAME-gdk =		gstreamer-gdk-pixbuf-$Vp4
 PKGNAME-caca =		gstreamer-libcaca-$Vp2
 PKGNAME-shout =		gstreamer-shoutcast-$Vp2
--- a/multimedia/gstreamer-0.10/plugins-good/patches/patch-ext_libpng_gstpngdec_c
+++ b/multimedia/gstreamer-0.10/plugins-good/patches/patch-ext_libpng_gstpngdec_c
@ -0,0 +1,54 @@
+$OpenBSD: patch-ext_libpng_gstpngdec_c,v 1.1 2009/06/03 20:24:31 jasper Exp $
+
+GStreamer Good Plug-ins PNG Processing Integer Overflow Vulnerability (SA35205)
+Patch from upstream git: d9544bcc44adcef769cbdf7f6453e140058a3adc
+
+--- ext/libpng/gstpngdec.c.orig	Wed Jun  3 14:10:46 2009
+++ ext/libpng/gstpngdec.c	Wed Jun  3 14:13:57 2009
+@@ -204,7 +204,13 @@ user_info_callback (png_structp png_ptr, png_infop inf
+ 
+   /* Allocate output buffer */
+   pngdec->rowbytes = png_get_rowbytes (pngdec->png, pngdec->info);
+-  buffer_size = pngdec->height * GST_ROUND_UP_4 (pngdec->rowbytes);
+  if (pngdec->rowbytes > (G_MAXUINT32 - 3)
+      || pngdec->height > G_MAXUINT32 / pngdec->rowbytes) {
+    ret = GST_FLOW_ERROR;
+    goto beach;
+  }
+  pngdec->rowbytes = GST_ROUND_UP_4 (pngdec->rowbytes);
+  buffer_size = pngdec->height * pngdec->rowbytes;
+   ret =
+       gst_pad_alloc_buffer_and_set_caps (pngdec->srcpad, GST_BUFFER_OFFSET_NONE,
+       buffer_size, GST_PAD_CAPS (pngdec->srcpad), &buffer);
+@@ -229,7 +235,7 @@ user_endrow_callback (png_structp png_ptr, png_bytep n
+   /* FIXME: implement interlaced pictures */
+ 
+   if (GST_IS_BUFFER (pngdec->buffer_out)) {
+-    size_t offset = row_num * GST_ROUND_UP_4 (pngdec->rowbytes);
+    size_t offset = row_num * pngdec->rowbytes;
+ 
+     GST_LOG ("got row %u, copying in buffer %p at offset %" G_GSIZE_FORMAT,
+         (guint) row_num, pngdec->buffer_out, offset);
+@@ -478,7 +484,12 @@ gst_pngdec_task (GstPad * pad)
+ 
+   /* Allocate output buffer */
+   rowbytes = png_get_rowbytes (pngdec->png, pngdec->info);
+-  buffer_size = pngdec->height * GST_ROUND_UP_4 (rowbytes);
+  if (rowbytes > (G_MAXUINT32 - 3) || pngdec->height > G_MAXUINT32 / rowbytes) {
+    ret = GST_FLOW_ERROR;
+    goto pause;
+  }
+  rowbytes = GST_ROUND_UP_4 (rowbytes);
+  buffer_size = pngdec->height * rowbytes;
+   ret =
+       gst_pad_alloc_buffer_and_set_caps (pngdec->srcpad, GST_BUFFER_OFFSET_NONE,
+       buffer_size, GST_PAD_CAPS (pngdec->srcpad), &buffer);
+@@ -492,7 +503,7 @@ gst_pngdec_task (GstPad * pad)
+ 
+   for (i = 0; i < pngdec->height; i++) {
+     rows[i] = inp;
+-    inp += GST_ROUND_UP_4 (rowbytes);
+    inp += rowbytes;
+   }
+ 
+   /* Read the actual picture */