From 785ec1fe86861d21e52aa7fef174fd25052e338b Mon Sep 17 00:00:00 2001
From: jakemsr <jakemsr@openbsd.org>
Date: Mon, 11 Feb 2008 00:22:03 +0000
Subject: [PATCH] security patches for - buffer overflow in stream_cddb.c -
 buffer overflow in url.c - buffer overflow in demux_mov.c - stack overflow in
 demux_audio.c

from brad@, ok maintainer

also remove reference to rtunes_ao.diff from distinfo.  this patch is
not used now because it does not apply.
---
 x11/mplayer/Makefile                          |  4 +--
 x11/mplayer/distinfo                          |  5 ---
 .../patches/patch-libmpdemux_demux_audio_c    | 12 +++++++
 .../patches/patch-libmpdemux_demux_mov_c      | 36 +++++++++++++++++++
 .../patches/patch-stream_stream_cddb_c        | 33 +++++++++++++++++
 x11/mplayer/patches/patch-stream_url_c        | 11 ++++++
 6 files changed, 94 insertions(+), 7 deletions(-)
 create mode 100644 x11/mplayer/patches/patch-libmpdemux_demux_audio_c
 create mode 100644 x11/mplayer/patches/patch-libmpdemux_demux_mov_c
 create mode 100644 x11/mplayer/patches/patch-stream_stream_cddb_c
 create mode 100644 x11/mplayer/patches/patch-stream_url_c

diff --git a/x11/mplayer/Makefile b/x11/mplayer/Makefile
index 538ade55b18..43b66162bf5 100644
--- a/x11/mplayer/Makefile
+++ b/x11/mplayer/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.124 2008/02/08 17:32:41 jakemsr Exp $
+# $OpenBSD: Makefile,v 1.125 2008/02/11 00:22:03 jakemsr Exp $
 
 # May not be hard to add more.
 ONLY_FOR_ARCHS=		amd64 i386 powerpc sparc64 arm
@@ -9,7 +9,7 @@ V=			1.0rc2
 N=			mplayer
 DISTNAME=		MPlayer-${V}
 DIST_SUBDIR=		${N}
-PKGNAME=		${N}-${V}
+PKGNAME=		${N}-${V}p0
 CATEGORIES=		x11 multimedia
 EXTRACT_SUFX=		.tar.bz2
 
diff --git a/x11/mplayer/distinfo b/x11/mplayer/distinfo
index 22cb8bc6d31..f00230dbda5 100644
--- a/x11/mplayer/distinfo
+++ b/x11/mplayer/distinfo
@@ -1,15 +1,10 @@
 MD5 (mplayer/MPlayer-1.0rc2.tar.bz2) = fiflNcLSZ2N980iY8bkXBw==
 MD5 (mplayer/default-1.7.tar.bz2) = fh0WwvijJGn0NUywQ+7MXQ==
-MD5 (mplayer/rtunes_ao.diff) = wqtsVPNrgRtMt7btNCcx7g==
 RMD160 (mplayer/MPlayer-1.0rc2.tar.bz2) = O1y6FSmFahd6UZHiL43MALWoPFI=
 RMD160 (mplayer/default-1.7.tar.bz2) = X3j/nbKW2P1T72YD7IoifutgLdE=
-RMD160 (mplayer/rtunes_ao.diff) = TSXB4a5nm6lbuXoVOtBabvrLpuY=
 SHA1 (mplayer/MPlayer-1.0rc2.tar.bz2) = 6bSW81J8VSAE7G0B1rQ/GWtDzi0=
 SHA1 (mplayer/default-1.7.tar.bz2) = aRLD5YtMdvrZf9tylFsngVBp9+M=
-SHA1 (mplayer/rtunes_ao.diff) = zz5vCLl3nXlw9h+J0edMmlZtaTQ=
 SHA256 (mplayer/MPlayer-1.0rc2.tar.bz2) = OHW3zIXo59+BwCpjjba0qXDR5mqG2tbr8podGfOPWVM=
 SHA256 (mplayer/default-1.7.tar.bz2) = qZkLpTTMqUwad0dF2eMUiRn3kAOmgz/8x4N3HM3gulM=
-SHA256 (mplayer/rtunes_ao.diff) = dipBj/CBSiuuWhLR0HL/phlJ20WMvI4Yw4zJ+h8wKQ8=
 SIZE (mplayer/MPlayer-1.0rc2.tar.bz2) = 9338201
 SIZE (mplayer/default-1.7.tar.bz2) = 173439
-SIZE (mplayer/rtunes_ao.diff) = 3879
diff --git a/x11/mplayer/patches/patch-libmpdemux_demux_audio_c b/x11/mplayer/patches/patch-libmpdemux_demux_audio_c
new file mode 100644
index 00000000000..d05372ccb23
--- /dev/null
+++ b/x11/mplayer/patches/patch-libmpdemux_demux_audio_c
@@ -0,0 +1,12 @@
+$OpenBSD: patch-libmpdemux_demux_audio_c,v 1.1 2008/02/11 00:22:03 jakemsr Exp $
+--- libmpdemux/demux_audio.c.orig	Fri Feb  8 13:28:43 2008
++++ libmpdemux/demux_audio.c	Fri Feb  8 13:29:10 2008
+@@ -229,6 +229,8 @@ get_flac_metadata (demuxer_t* demuxer)
+           ptr += 4;
+ 
+           comment = ptr;
++          if (&comment[length] < comments || &comment[length] >= &comments[blk_len])
++            return;
+           c = comment[length];
+           comment[length] = 0;
+ 
diff --git a/x11/mplayer/patches/patch-libmpdemux_demux_mov_c b/x11/mplayer/patches/patch-libmpdemux_demux_mov_c
new file mode 100644
index 00000000000..0c4d6f716d7
--- /dev/null
+++ b/x11/mplayer/patches/patch-libmpdemux_demux_mov_c
@@ -0,0 +1,36 @@
+$OpenBSD: patch-libmpdemux_demux_mov_c,v 1.3 2008/02/11 00:22:03 jakemsr Exp $
+--- libmpdemux/demux_mov.c.orig	Fri Feb  8 13:29:41 2008
++++ libmpdemux/demux_mov.c	Fri Feb  8 13:31:59 2008
+@@ -173,11 +173,12 @@ void mov_build_index(mov_track_t* trak,int timescale){
+     i=trak->chunkmap_size;
+     while(i>0){
+ 	--i;
+-	for(j=trak->chunkmap[i].first;j<last;j++){
++	j=FFMAX(trak->chunkmap[i].first, 0);
++	for(;j<last;j++){
+ 	    trak->chunks[j].desc=trak->chunkmap[i].sdid;
+ 	    trak->chunks[j].size=trak->chunkmap[i].spc;
+ 	}
+-	last=trak->chunkmap[i].first;
++	last=FFMIN(trak->chunkmap[i].first, trak->chunks_size);
+     }
+ 
+ #if 0
+@@ -235,6 +236,8 @@ void mov_build_index(mov_track_t* trak,int timescale){
+     s=0;
+     for(j=0;j<trak->durmap_size;j++){
+ 	for(i=0;i<trak->durmap[j].num;i++){
++	    if (s >= trak->samples_size)
++		break;
+ 	    trak->samples[s].pts=pts;
+ 	    ++s;
+ 	    pts+=trak->durmap[j].dur;
+@@ -246,6 +249,8 @@ void mov_build_index(mov_track_t* trak,int timescale){
+     for(j=0;j<trak->chunks_size;j++){
+ 	off_t pos=trak->chunks[j].pos;
+ 	for(i=0;i<trak->chunks[j].size;i++){
++	    if (s >= trak->samples_size)
++		break;
+ 	    trak->samples[s].pos=pos;
+ 	    mp_msg(MSGT_DEMUX, MSGL_DBG3, "Sample %5d: pts=%8d  off=0x%08X  size=%d\n",s,
+ 		trak->samples[s].pts,
diff --git a/x11/mplayer/patches/patch-stream_stream_cddb_c b/x11/mplayer/patches/patch-stream_stream_cddb_c
new file mode 100644
index 00000000000..874686ac1d3
--- /dev/null
+++ b/x11/mplayer/patches/patch-stream_stream_cddb_c
@@ -0,0 +1,33 @@
+$OpenBSD: patch-stream_stream_cddb_c,v 1.1 2008/02/11 00:22:03 jakemsr Exp $
+--- stream/stream_cddb.c.orig	Fri Feb  8 13:34:13 2008
++++ stream/stream_cddb.c	Fri Feb  8 13:38:40 2008
+@@ -53,6 +53,7 @@
+ #include "version.h"
+ #include "stream.h"
+ #include "network.h"
++#include "libavutil/intreadwrite.h"
+ 
+ #define DEFAULT_FREEDB_SERVER	"freedb.freedb.org"
+ #define DEFAULT_CACHE_DIR	"/.cddb/"
+@@ -453,8 +454,9 @@ cddb_parse_matches_list(HTTP_header_t *http_hdr, cddb_
+ 		} else {
+ 			len = ptr2-ptr+1;
+ 		}
++		len = FFMIN(sizeof(album_title) - 1, len);
+ 		strncpy(album_title, ptr, len);
+-		album_title[len-2]='\0';
++		album_title[len]='\0';
+ 	}
+ 	mp_msg(MSGT_DEMUX, MSGL_STATUS, MSGTR_MPDEMUX_CDDB_ParseOKFoundAlbumTitle, album_title);
+ 	return 0;
+@@ -490,8 +492,9 @@ cddb_query_parse(HTTP_header_t *http_hdr, cddb_data_t 
+ 				} else {
+ 					len = ptr2-ptr+1;
+ 				}
++				len = FFMIN(sizeof(album_title) - 1, len);
+ 				strncpy(album_title, ptr, len);
+-				album_title[len-2]='\0';
++				album_title[len]='\0';
+ 			}
+ 			mp_msg(MSGT_DEMUX, MSGL_STATUS, MSGTR_MPDEMUX_CDDB_ParseOKFoundAlbumTitle, album_title);
+ 			return cddb_request_titles(cddb_data);
diff --git a/x11/mplayer/patches/patch-stream_url_c b/x11/mplayer/patches/patch-stream_url_c
new file mode 100644
index 00000000000..4580378ec6f
--- /dev/null
+++ b/x11/mplayer/patches/patch-stream_url_c
@@ -0,0 +1,11 @@
+$OpenBSD: patch-stream_url_c,v 1.1 2008/02/11 00:22:03 jakemsr Exp $
+--- stream/url.c.orig	Fri Feb  8 13:32:35 2008
++++ stream/url.c	Fri Feb  8 13:33:05 2008
+@@ -328,6 +328,7 @@ url_escape_string(char *outbuf, const char *inbuf) {
+ 		}
+ 	}
+ 	
++	tmp = NULL;
+ 	while(i < len) {
+ 		// look for the next char that must be kept
+ 		for  (j=i;j<len;j++) {