From 7b8a6ade2a93279dbe1ed6f2e2a1884a3182bc2e Mon Sep 17 00:00:00 2001
From: naddy <naddy@openbsd.org>
Date: Wed, 1 Oct 2008 16:01:51 +0000
Subject: [PATCH] SECURITY fix for Real demuxer heap overflow (CVE-2008-3827).
 ok biorn@, robert@

---
 x11/mplayer/Makefile                          |  4 +--
 .../patches/patch-libmpdemux_demux_real_c     | 27 +++++++++++++++++++
 2 files changed, 29 insertions(+), 2 deletions(-)
 create mode 100644 x11/mplayer/patches/patch-libmpdemux_demux_real_c

diff --git a/x11/mplayer/Makefile b/x11/mplayer/Makefile
index 6350e1a3a99..1b7223081d9 100644
--- a/x11/mplayer/Makefile
+++ b/x11/mplayer/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.135 2008/09/15 22:13:02 jakemsr Exp $
+# $OpenBSD: Makefile,v 1.136 2008/10/01 16:01:51 naddy Exp $
 
 # May not be hard to add more.
 ONLY_FOR_ARCHS=		amd64 i386 powerpc sparc64 arm
@@ -9,7 +9,7 @@ V=			1.0rc2
 N=			mplayer
 DISTNAME=		MPlayer-${V}
 DIST_SUBDIR=		${N}
-PKGNAME=		${N}-${V}p9
+PKGNAME=		${N}-${V}p10
 CATEGORIES=		x11 multimedia
 EXTRACT_SUFX=		.tar.bz2
 
diff --git a/x11/mplayer/patches/patch-libmpdemux_demux_real_c b/x11/mplayer/patches/patch-libmpdemux_demux_real_c
new file mode 100644
index 00000000000..92a12b96c4d
--- /dev/null
+++ b/x11/mplayer/patches/patch-libmpdemux_demux_real_c
@@ -0,0 +1,27 @@
+$OpenBSD: patch-libmpdemux_demux_real_c,v 1.3 2008/10/01 16:01:51 naddy Exp $
+--- libmpdemux/demux_real.c.orig	Sun Oct  7 21:49:33 2007
++++ libmpdemux/demux_real.c	Tue Sep 30 16:34:43 2008
+@@ -958,6 +958,7 @@ got_video:
+ 			    // last fragment!
+ 			    if(dp_hdr->len!=vpkg_length-vpkg_offset)
+ 				mp_msg(MSGT_DEMUX,MSGL_V,"warning! assembled.len=%d  frag.len=%d  total.len=%d  \n",dp->len,vpkg_offset,vpkg_length-vpkg_offset);
++			    if (vpkg_offset > dp->len - sizeof(dp_hdr_t) - dp_hdr->len) vpkg_offset = dp->len - sizeof(dp_hdr_t) - dp_hdr->len;
+             		    stream_read(demuxer->stream, dp_data+dp_hdr->len, vpkg_offset);
+ 			    if((dp_data[dp_hdr->len]&0x20) && (sh_video->format==0x30335652)) --dp_hdr->chunks; else
+ 			    dp_hdr->len+=vpkg_offset;
+@@ -981,6 +982,7 @@ got_video:
+ 			// non-last fragment:
+ 			if(dp_hdr->len!=vpkg_offset)
+ 			    mp_msg(MSGT_DEMUX,MSGL_V,"warning! assembled.len=%d  offset=%d  frag.len=%d  total.len=%d  \n",dp->len,vpkg_offset,len,vpkg_length);
++			if (len > dp->len - sizeof(dp_hdr_t) - dp_hdr->len) len = dp->len - sizeof(dp_hdr_t) - dp_hdr->len;
+             		stream_read(demuxer->stream, dp_data+dp_hdr->len, len);
+ 			if((dp_data[dp_hdr->len]&0x20) && (sh_video->format==0x30335652)) --dp_hdr->chunks; else
+ 			dp_hdr->len+=len;
+@@ -1003,6 +1005,7 @@ got_video:
+ 		extra[0]=1; extra[1]=0; // offset of the first chunk
+ 		if(0x00==(vpkg_header&0xc0)){
+ 		    // first fragment:
++		    if (len > dp->len - sizeof(dp_hdr_t)) len = dp->len - sizeof(dp_hdr_t);
+ 		    dp_hdr->len=len;
+ 		    stream_read(demuxer->stream, dp_data, len);
+ 		    ds->asf_packet=dp;