From c04bb05ba39c2bb22ee523f427626adb3ab09937 Mon Sep 17 00:00:00 2001
From: brad <brad@openbsd.org>
Date: Wed, 6 Feb 2013 13:07:05 +0000
Subject: [PATCH] Two fixes from upstream..

- Fix crash with broken ASF files (SA-1302).
- Fix MKV behaviour with unknown or new EBML elements.

ok sthen@
---
 x11/vlc/Makefile                              |   4 +-
 x11/vlc/patches/patch-modules_demux_asf_asf_c | 159 ++++++++++++++++++
 .../patch-modules_demux_mkv_Ebml_parser_cpp   | 137 +++++++++++++++
 .../patch-modules_demux_mkv_Ebml_parser_hpp   |  37 ++++
 4 files changed, 335 insertions(+), 2 deletions(-)
 create mode 100644 x11/vlc/patches/patch-modules_demux_asf_asf_c
 create mode 100644 x11/vlc/patches/patch-modules_demux_mkv_Ebml_parser_cpp
 create mode 100644 x11/vlc/patches/patch-modules_demux_mkv_Ebml_parser_hpp

diff --git a/x11/vlc/Makefile b/x11/vlc/Makefile
index e9356958843..73297024cba 100644
--- a/x11/vlc/Makefile
+++ b/x11/vlc/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.163 2013/01/03 03:18:21 brad Exp $
+# $OpenBSD: Makefile,v 1.164 2013/02/06 13:07:05 brad Exp $
 
 SHARED_ONLY=	Yes
 
@@ -8,7 +8,7 @@ COMMENT-jack=	JACK audio output module for VLC
 V=		2.0.5
 DISTNAME=	vlc-${V}
 PKGNAME-main=	${DISTNAME}
-REVISION-main=	2
+REVISION-main=	3
 PKGNAME-jack=	vlc-jack-${V}
 REVISION-jack=	1
 CATEGORIES=	x11
diff --git a/x11/vlc/patches/patch-modules_demux_asf_asf_c b/x11/vlc/patches/patch-modules_demux_asf_asf_c
new file mode 100644
index 00000000000..120e204d057
--- /dev/null
+++ b/x11/vlc/patches/patch-modules_demux_asf_asf_c
@@ -0,0 +1,159 @@
+$OpenBSD: patch-modules_demux_asf_asf_c,v 1.1 2013/02/06 13:07:05 brad Exp $
+
+Fix crash with broken ASF files (SA-1302).
+
+--- modules/demux/asf/asf.c.orig	Tue Aug 28 13:25:19 2012
++++ modules/demux/asf/asf.c	Tue Feb  5 07:53:12 2013
+@@ -383,15 +383,30 @@ static mtime_t GetMoviePTS( demux_sys_t *p_sys )
+     return i_time;
+ }
+ 
+-#define GETVALUE2b( bits, var, def ) \
+-    switch( (bits)&0x03 ) \
+-    { \
+-        case 1: var = p_peek[i_skip]; i_skip++; break; \
+-        case 2: var = GetWLE( p_peek + i_skip );  i_skip+= 2; break; \
+-        case 3: var = GetDWLE( p_peek + i_skip ); i_skip+= 4; break; \
+-        case 0: \
+-        default: var = def; break;\
++static inline int GetValue2b(int *var, const uint8_t *p, int *skip, int left, int bits)
++{
++    switch(bits&0x03)
++    {
++    case 1:
++        if (left < 1)
++            return -1;
++        *var = p[*skip]; *skip += 1;
++        return 0;
++    case 2:
++        if (left < 2)
++            return -1;
++        *var = GetWLE(&p[*skip]); *skip += 2;
++        return 0;
++    case 3:
++        if (left < 4)
++            return -1;
++        *var = GetDWLE(&p[*skip]); *skip += 4;
++        return 0;
++    case 0:
++    default:
++        return 0;
+     }
++}
+ 
+ static int DemuxPacket( demux_t *p_demux )
+ {
+@@ -405,15 +420,15 @@ static int DemuxPacket( demux_t *p_demux )
+     int         i_packet_property;
+ 
+     int         b_packet_multiple_payload;
+-    int         i_packet_length;
+-    int         i_packet_sequence;
+-    int         i_packet_padding_length;
++    int         i_packet_length = i_data_packet_min;
++    int         i_packet_sequence = 0;
++    int         i_packet_padding_length = 0;
+ 
+     uint32_t    i_packet_send_time;
+-    uint16_t    i_packet_duration;
+     int         i_payload;
+     int         i_payload_count;
+     int         i_payload_length_type;
++    int         peek_size;
+ 
+ 
+     if( stream_Peek( p_demux->s, &p_peek,i_data_packet_min)<i_data_packet_min )
+@@ -421,6 +436,7 @@ static int DemuxPacket( demux_t *p_demux )
+         msg_Warn( p_demux, "cannot peek while getting new packet, EOF ?" );
+         return 0;
+     }
++    peek_size = i_data_packet_min;
+     i_skip = 0;
+ 
+     /* *** parse error correction if present *** */
+@@ -461,9 +477,12 @@ static int DemuxPacket( demux_t *p_demux )
+     b_packet_multiple_payload = i_packet_flags&0x01;
+ 
+     /* read some value */
+-    GETVALUE2b( i_packet_flags >> 5, i_packet_length, i_data_packet_min );
+-    GETVALUE2b( i_packet_flags >> 1, i_packet_sequence, 0 );
+-    GETVALUE2b( i_packet_flags >> 3, i_packet_padding_length, 0 );
++    if (GetValue2b(&i_packet_length, p_peek, &i_skip, peek_size - i_skip, i_packet_flags >> 5) < 0)
++        goto loop_error_recovery;
++    if (GetValue2b(&i_packet_sequence, p_peek, &i_skip, peek_size - i_skip, i_packet_flags >> 1) < 0)
++        goto loop_error_recovery;
++    if (GetValue2b(&i_packet_padding_length, p_peek, &i_skip, peek_size - i_skip, i_packet_flags >> 3) < 0)
++        goto loop_error_recovery;
+ 
+     if( i_packet_padding_length > i_packet_length )
+     {
+@@ -479,7 +498,7 @@ static int DemuxPacket( demux_t *p_demux )
+     }
+ 
+     i_packet_send_time = GetDWLE( p_peek + i_skip ); i_skip += 4;
+-    i_packet_duration  = GetWLE( p_peek + i_skip ); i_skip += 2;
++    /* uint16_t i_packet_duration = GetWLE( p_peek + i_skip ); */ i_skip += 2;
+ 
+     i_packet_size_left = i_packet_length;
+ 
+@@ -501,13 +520,13 @@ static int DemuxPacket( demux_t *p_demux )
+ 
+         int i_packet_keyframe;
+         unsigned int i_stream_number;
+-        int i_media_object_number;
++        int i_media_object_number = 0;
+         int i_media_object_offset;
+-        int i_replicated_data_length;
+-        int i_payload_data_length;
++        int i_replicated_data_length = 0;
++        int i_payload_data_length = 0;
+         int i_payload_data_pos;
+         int i_sub_payload_data_length;
+-        int i_tmp;
++        int i_tmp = 0;
+ 
+         mtime_t i_pts;
+         mtime_t i_pts_delta;
+@@ -521,9 +540,12 @@ static int DemuxPacket( demux_t *p_demux )
+         i_packet_keyframe = p_peek[i_skip] >> 7;
+         i_stream_number = p_peek[i_skip++] & 0x7f;
+ 
+-        GETVALUE2b( i_packet_property >> 4, i_media_object_number, 0 );
+-        GETVALUE2b( i_packet_property >> 2, i_tmp, 0 );
+-        GETVALUE2b( i_packet_property, i_replicated_data_length, 0 );
++        if (GetValue2b(&i_media_object_number, p_peek, &i_skip, peek_size - i_skip, i_packet_property >> 4) < 0)
++            break;
++        if (GetValue2b(&i_tmp, p_peek, &i_skip, peek_size - i_skip, i_packet_property >> 2) < 0)
++            break;
++        if (GetValue2b(&i_replicated_data_length, p_peek, &i_skip, peek_size - i_skip, i_packet_property) < 0)
++            break;
+ 
+         if( i_replicated_data_length > 1 ) // should be at least 8 bytes
+         {
+@@ -558,7 +580,9 @@ static int DemuxPacket( demux_t *p_demux )
+         i_pts = __MAX( i_pts - p_sys->p_fp->i_preroll * 1000, 0 );
+         if( b_packet_multiple_payload )
+         {
+-            GETVALUE2b( i_payload_length_type, i_payload_data_length, 0 );
++            i_payload_data_length = 0;
++            if (GetValue2b(&i_payload_data_length, p_peek, &i_skip, peek_size - i_skip, i_payload_length_type) < 0)
++                break;
+         }
+         else
+         {
+@@ -645,6 +669,7 @@ static int DemuxPacket( demux_t *p_demux )
+                 return 0;
+             }
+             i_packet_size_left -= i_read;
++            peek_size = 0;
+ 
+             p_frag->p_buffer += i_skip;
+             p_frag->i_buffer -= i_skip;
+@@ -672,6 +697,7 @@ static int DemuxPacket( demux_t *p_demux )
+                     msg_Warn( p_demux, "cannot peek, EOF ?" );
+                     return 0;
+                 }
++                peek_size = i_packet_size_left;
+             }
+         }
+     }
diff --git a/x11/vlc/patches/patch-modules_demux_mkv_Ebml_parser_cpp b/x11/vlc/patches/patch-modules_demux_mkv_Ebml_parser_cpp
new file mode 100644
index 00000000000..a16ffae7ee0
--- /dev/null
+++ b/x11/vlc/patches/patch-modules_demux_mkv_Ebml_parser_cpp
@@ -0,0 +1,137 @@
+$OpenBSD: patch-modules_demux_mkv_Ebml_parser_cpp,v 1.1 2013/02/06 13:07:05 brad Exp $
+
+Fix MKV behaviour with unknown or new EBML elements.
+
+--- modules/demux/mkv/Ebml_parser.cpp.orig	Fri Dec  9 11:58:27 2011
++++ modules/demux/mkv/Ebml_parser.cpp	Tue Feb  5 07:55:42 2013
+@@ -30,6 +30,7 @@
+  * Ebml Stream parser
+  *****************************************************************************/
+ EbmlParser::EbmlParser( EbmlStream *es, EbmlElement *el_start, demux_t *p_demux ) :
++    p_demux( p_demux ),
+     m_es( es ),
+     mi_level( 1 ),
+     m_got( NULL ),
+@@ -103,7 +104,7 @@ void EbmlParser::Up( void )
+ {
+     if( mi_user_level == mi_level )
+     {
+-        fprintf( stderr,"MKV/Ebml Parser: Up cannot escape itself\n" );
++        msg_Warn( p_demux, "MKV/Ebml Parser: Up cannot escape itself" );
+     }
+ 
+     mi_user_level--;
+@@ -133,15 +134,17 @@ void EbmlParser::Reset( demux_t *p_demux )
+         m_el[mi_level] = NULL;
+         mi_level--;
+     }
++    this->p_demux = p_demux;
+     mi_user_level = mi_level = 1;
+     // a little faster and cleaner
+     m_es->I_O().setFilePointer( static_cast<KaxSegment*>(m_el[0])->GetGlobalPosition(0) );
+     mb_dummy = var_InheritBool( p_demux, "mkv-use-dummy" );
+ }
+ 
+-EbmlElement *EbmlParser::Get( void )
++EbmlElement *EbmlParser::Get( int n_call )
+ {
+     int i_ulev = 0;
++    EbmlElement *p_prev = NULL;
+ 
+     if( mi_user_level != mi_level )
+     {
+@@ -155,24 +158,29 @@ EbmlElement *EbmlParser::Get( void )
+         return ret;
+     }
+ 
++    p_prev = m_el[mi_level];
+     if( m_el[mi_level] )
+     {
+         m_el[mi_level]->SkipData( *m_es, EBML_CONTEXT(m_el[mi_level]) );
+-        if( !mb_keep )
+-        {
+-            if( MKV_IS_ID( m_el[mi_level], KaxBlockVirtual ) )
+-                static_cast<KaxBlockVirtualWorkaround*>(m_el[mi_level])->Fix();
+-            delete m_el[mi_level];
+-        }
+-        mb_keep = false;
++
+     }
+     vlc_stream_io_callback & io_stream = (vlc_stream_io_callback &) m_es->I_O();
+     uint64 i_size = io_stream.toRead();
+     m_el[mi_level] = m_es->FindNextElement( EBML_CONTEXT(m_el[mi_level - 1]),
+-                                            i_ulev, i_size, mb_dummy, 1 );
++                                            i_ulev, i_size, true, 1 );
+ //    mi_remain_size[mi_level] = m_el[mi_level]->GetSize();
+     if( i_ulev > 0 )
+     {
++        if( p_prev )
++        {
++            if( !mb_keep )
++            {
++                if( MKV_IS_ID( p_prev, KaxBlockVirtual ) )
++                    static_cast<KaxBlockVirtualWorkaround*>(p_prev)->Fix();
++                delete p_prev;
++            }
++            mb_keep = false;
++        }
+         while( i_ulev > 0 )
+         {
+             if( mi_level == 1 )
+@@ -192,9 +200,55 @@ EbmlElement *EbmlParser::Get( void )
+     }
+     else if( m_el[mi_level] == NULL )
+     {
+-        fprintf( stderr,"MKV/Ebml Parser: m_el[mi_level] == NULL\n" );
++        msg_Warn( p_demux,"MKV/Ebml Parser: m_el[mi_level] == NULL\n" );
+     }
++    else if( m_el[mi_level]->IsDummy() && !mb_dummy )
++    {
++        bool b_bad_position = false;
++        /* We got a dummy element but don't want those...
++         * perform a sanity check */
++        if( !mi_level )
++        {
++            msg_Err(p_demux, "Got invalid lvl 0 element... Aborting");
++            return NULL;
++        }
+ 
++        if( p_prev && p_prev->IsFiniteSize() &&
++            p_prev->GetEndPosition() != m_el[mi_level]->GetElementPosition())
++        {
++            msg_Err( p_demux, "Dummy Element at unexpected position... corrupted file?" );
++            b_bad_position = true;
++        }
++
++        if( n_call < 10 && !b_bad_position && m_el[mi_level]->IsFiniteSize() &&
++            ( !m_el[mi_level-1]->IsFiniteSize() ||
++              m_el[mi_level]->GetEndPosition() <= m_el[mi_level-1]->GetEndPosition() ) )
++        {
++            /* The element fits inside its upper element */
++            msg_Warn( p_demux, "Dummy element found... skipping it" );
++            return Get( ++n_call );
++        }
++        else
++        {
++            /* Too large, misplaced or 10 successive dummy elements */
++            msg_Err( p_demux, "Dummy element too large or misplaced... skipping to next upper element" );
++            delete m_el[mi_level];
++            m_el[mi_level] = NULL;
++            m_el[mi_level - 1]->SkipData( *m_es, EBML_CONTEXT(m_el[mi_level - 1]) );
++            return Get();
++        }
++    }
++
++    if( p_prev )
++    {
++        if( !mb_keep )
++        {
++            if( MKV_IS_ID( p_prev, KaxBlockVirtual ) )
++                static_cast<KaxBlockVirtualWorkaround*>(p_prev)->Fix();
++            delete p_prev;
++        }
++        mb_keep = false;
++    }
+     return m_el[mi_level];
+ }
+ 
diff --git a/x11/vlc/patches/patch-modules_demux_mkv_Ebml_parser_hpp b/x11/vlc/patches/patch-modules_demux_mkv_Ebml_parser_hpp
new file mode 100644
index 00000000000..b12de22eb8a
--- /dev/null
+++ b/x11/vlc/patches/patch-modules_demux_mkv_Ebml_parser_hpp
@@ -0,0 +1,37 @@
+$OpenBSD: patch-modules_demux_mkv_Ebml_parser_hpp,v 1.1 2013/02/06 13:07:05 brad Exp $
+
+Fix MKV behaviour with unknown or new EBML elements.
+
+--- modules/demux/mkv/Ebml_parser.hpp.orig	Thu Dec  8 13:00:26 2011
++++ modules/demux/mkv/Ebml_parser.hpp	Tue Feb  5 07:55:42 2013
+@@ -39,7 +39,7 @@ class EbmlParser
+     void Up( void );
+     void Down( void );
+     void Reset( demux_t *p_demux );
+-    EbmlElement *Get( void );
++    EbmlElement *Get( int n_call = 0 );
+     void        Keep( void );
+     EbmlElement *UnGet( uint64 i_block_pos, uint64 i_cluster_pos );
+ 
+@@ -49,16 +49,17 @@ class EbmlParser
+     bool IsTopPresent( EbmlElement * ) const;
+ 
+   private:
++    demux_t     *p_demux;
+     EbmlStream  *m_es;
+-    int         mi_level;
++    int          mi_level;
+     EbmlElement *m_el[10];
+     int64_t      mi_remain_size[10];
+ 
+     EbmlElement *m_got;
+ 
+-    int         mi_user_level;
+-    bool        mb_keep;
+-    bool        mb_dummy;
++    int          mi_user_level;
++    bool         mb_keep;
++    bool         mb_dummy;
+ };
+ 
+ /* This class works around a bug in KaxBlockVirtual implementation */