cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SECURITY fix for Real demuxer heap overflow (CVE-2008-3827).

Browse Source 
ok biorn@, robert@
This commit is contained in:
naddy 2008-10-01 16:01:51 +00:00
parent d55d534232
commit 7b8a6ade2a
2 changed files with 29 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
x11/mplayer/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.135 2008/09/15 22:13:02 jakemsr Exp $
# $OpenBSD: Makefile,v 1.136 2008/10/01 16:01:51 naddy Exp $
# May not be hard to add more.
ONLY_FOR_ARCHS= amd64 i386 powerpc sparc64 arm
@ -9,7 +9,7 @@ V= 1.0rc2
N= mplayer
DISTNAME= MPlayer-${V}
DIST_SUBDIR= ${N}
PKGNAME= ${N}-${V}p9
PKGNAME= ${N}-${V}p10
CATEGORIES= x11 multimedia
EXTRACT_SUFX= .tar.bz2

27
x11/mplayer/patches/patch-libmpdemux_demux_real_c Normal file
View File

@ -0,0 +1,27 @@
$OpenBSD: patch-libmpdemux_demux_real_c,v 1.3 2008/10/01 16:01:51 naddy Exp $
--- libmpdemux/demux_real.c.orig Sun Oct 7 21:49:33 2007
+++ libmpdemux/demux_real.c Tue Sep 30 16:34:43 2008
@@ -958,6 +958,7 @@ got_video:
// last fragment!
if(dp_hdr->len!=vpkg_length-vpkg_offset)
mp_msg(MSGT_DEMUX,MSGL_V,"warning! assembled.len=%d frag.len=%d total.len=%d \n",dp->len,vpkg_offset,vpkg_length-vpkg_offset);
+ if (vpkg_offset > dp->len - sizeof(dp_hdr_t) - dp_hdr->len) vpkg_offset = dp->len - sizeof(dp_hdr_t) - dp_hdr->len;
stream_read(demuxer->stream, dp_data+dp_hdr->len, vpkg_offset);
if((dp_data[dp_hdr->len]&0x20) && (sh_video->format==0x30335652)) --dp_hdr->chunks; else
dp_hdr->len+=vpkg_offset;
@@ -981,6 +982,7 @@ got_video:
// non-last fragment:
if(dp_hdr->len!=vpkg_offset)
mp_msg(MSGT_DEMUX,MSGL_V,"warning! assembled.len=%d offset=%d frag.len=%d total.len=%d \n",dp->len,vpkg_offset,len,vpkg_length);
+ if (len > dp->len - sizeof(dp_hdr_t) - dp_hdr->len) len = dp->len - sizeof(dp_hdr_t) - dp_hdr->len;
stream_read(demuxer->stream, dp_data+dp_hdr->len, len);
if((dp_data[dp_hdr->len]&0x20) && (sh_video->format==0x30335652)) --dp_hdr->chunks; else
dp_hdr->len+=len;
@@ -1003,6 +1005,7 @@ got_video:
extra[0]=1; extra[1]=0; // offset of the first chunk
if(0x00==(vpkg_header&0xc0)){
// first fragment:
+ if (len > dp->len - sizeof(dp_hdr_t)) len = dp->len - sizeof(dp_hdr_t);
dp_hdr->len=len;
stream_read(demuxer->stream, dp_data, len);
ds->asf_packet=dp;