From 6e0861d26719d244b6e28b9d6470d5640ef1c1b7 Mon Sep 17 00:00:00 2001
From: jasper <jasper@openbsd.org>
Date: Thu, 22 May 2014 11:53:36 +0000
Subject: [PATCH] Security fix for CVE-2014-2892, heap-based buffer overflow

---
 multimedia/libmms/Makefile                 |  4 ++--
 multimedia/libmms/distinfo                 |  3 ---
 multimedia/libmms/patches/patch-src_mmsh_c | 19 +++++++++++++++++++
 3 files changed, 21 insertions(+), 5 deletions(-)
 create mode 100644 multimedia/libmms/patches/patch-src_mmsh_c

diff --git a/multimedia/libmms/Makefile b/multimedia/libmms/Makefile
index 56d4f620166..c80f0eb0828 100644
--- a/multimedia/libmms/Makefile
+++ b/multimedia/libmms/Makefile
@@ -1,11 +1,11 @@
-# $OpenBSD: Makefile,v 1.9 2013/03/21 08:46:33 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.10 2014/05/22 11:53:36 jasper Exp $
 
 COMMENT =	library for parsing mms:// and mmsh:// type network streams
 
 DISTNAME =	libmms-0.6.2
 CATEGORIES =	multimedia net
 MASTER_SITES =	${MASTER_SITE_SOURCEFORGE:=libmms/}
-REVISION=	0
+REVISION=	1
 
 SHARED_LIBS =	mms 1.0 #0.2
 
diff --git a/multimedia/libmms/distinfo b/multimedia/libmms/distinfo
index 42508b78a6c..0eb0fe29078 100644
--- a/multimedia/libmms/distinfo
+++ b/multimedia/libmms/distinfo
@@ -1,5 +1,2 @@
-MD5 (libmms-0.6.2.tar.gz) = n2OqNj3rSHTgcqRYUBYb/w==
-RMD160 (libmms-0.6.2.tar.gz) = wb+J90YOwgircYBRDbs2c9Z96lo=
-SHA1 (libmms-0.6.2.tar.gz) = ze9i/RoOJYXdIRH8lLAy+EKQ41E=
 SHA256 (libmms-0.6.2.tar.gz) = AZMbYhctfXBQ/J75sbZBYvO26fbMRBUXAZKjKgt+pDI=
 SIZE (libmms-0.6.2.tar.gz) = 340230
diff --git a/multimedia/libmms/patches/patch-src_mmsh_c b/multimedia/libmms/patches/patch-src_mmsh_c
new file mode 100644
index 00000000000..36197e5601b
--- /dev/null
+++ b/multimedia/libmms/patches/patch-src_mmsh_c
@@ -0,0 +1,19 @@
+$OpenBSD: patch-src_mmsh_c,v 1.1 2014/05/22 11:53:36 jasper Exp $
+
+Security fix for CVE-2014-2892, heap-based buffer overflow
+http://sourceforge.net/p/libmms/code/ci/03bcfccc22919c72742b7338d02859962861e0e8
+
+--- src/mmsh.c.orig	Thu May 22 13:47:18 2014
++++ src/mmsh.c	Thu May 22 13:48:30 2014
+@@ -307,7 +307,10 @@ static int get_answer (mms_io_t *io, mmsh_t *this) {
+         len = 0;
+       }
+     } else {
+-      len ++;
++      if (++len >= sizeof(this->buf)) {
++        lprintf("answer too large\n");
++        return 0;
++      }
+     }
+   }
+   if (this->stream_type == MMSH_UNKNOWN) {