head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.2 pkgsrc-2013Q2-base:1.2 pkgsrc-2013Q1:1.1.0.4 pkgsrc-2013Q1-base:1.1 pkgsrc-2012Q4:1.1.0.2; locks; strict; comment @# @; 1.2 date 2013.04.12.13.40.47; author drochner; state dead; branches; next 1.1; 1.1 date 2013.01.30.15.52.19; author drochner; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2013.01.30.15.52.19; author tron; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2013.02.02.07.53.09; author tron; state Exp; branches; next ; desc @@ 1.2 log @update to 2.0.6 changes: Support for Matroska v4 files Fix WMV, Ogg, AVI, MP4 and subtitles crashes and issues Numerous translations updates and new Welsh translation Fix some HTTPS certificate rejection Fix ALAC decoding Fix FLAC 6.1 and 7.1 channel order Fix the vimeo parser Numerous D-Bus and MPRIS2 improvements @ text @$NetBSD: patch-SA1302,v 1.1 2013/01/30 15:52:19 drochner Exp $ upstream commit 330ba2296cd6841d0e8f0be40ef84966d5540fd3 --- modules/demux/asf/asf.c.orig 2012-08-28 17:25:19.000000000 +0000 +++ modules/demux/asf/asf.c @@@@ -383,15 +383,30 @@@@ static mtime_t GetMoviePTS( demux_sys_t return i_time; } -#define GETVALUE2b( bits, var, def ) \ - switch( (bits)&0x03 ) \ - { \ - case 1: var = p_peek[i_skip]; i_skip++; break; \ - case 2: var = GetWLE( p_peek + i_skip ); i_skip+= 2; break; \ - case 3: var = GetDWLE( p_peek + i_skip ); i_skip+= 4; break; \ - case 0: \ - default: var = def; break;\ +static inline int GetValue2b(int *var, const uint8_t *p, int *skip, int left, int bits) +{ + switch(bits&0x03) + { + case 1: + if (left < 1) + return -1; + *var = p[*skip]; *skip += 1; + return 0; + case 2: + if (left < 2) + return -1; + *var = GetWLE(&p[*skip]); *skip += 2; + return 0; + case 3: + if (left < 4) + return -1; + *var = GetDWLE(&p[*skip]); *skip += 4; + return 0; + case 0: + default: + return 0; } +} static int DemuxPacket( demux_t *p_demux ) { @@@@ -405,15 +420,15 @@@@ static int DemuxPacket( demux_t *p_demux int i_packet_property; int b_packet_multiple_payload; - int i_packet_length; - int i_packet_sequence; - int i_packet_padding_length; + int i_packet_length = i_data_packet_min; + int i_packet_sequence = 0; + int i_packet_padding_length = 0; uint32_t i_packet_send_time; - uint16_t i_packet_duration; int i_payload; int i_payload_count; int i_payload_length_type; + int peek_size; if( stream_Peek( p_demux->s, &p_peek,i_data_packet_min)> 5, i_packet_length, i_data_packet_min ); - GETVALUE2b( i_packet_flags >> 1, i_packet_sequence, 0 ); - GETVALUE2b( i_packet_flags >> 3, i_packet_padding_length, 0 ); + if (GetValue2b(&i_packet_length, p_peek, &i_skip, peek_size - i_skip, i_packet_flags >> 5) < 0) + goto loop_error_recovery; + if (GetValue2b(&i_packet_sequence, p_peek, &i_skip, peek_size - i_skip, i_packet_flags >> 1) < 0) + goto loop_error_recovery; + if (GetValue2b(&i_packet_padding_length, p_peek, &i_skip, peek_size - i_skip, i_packet_flags >> 3) < 0) + goto loop_error_recovery; if( i_packet_padding_length > i_packet_length ) { @@@@ -479,7 +498,7 @@@@ static int DemuxPacket( demux_t *p_demux } i_packet_send_time = GetDWLE( p_peek + i_skip ); i_skip += 4; - i_packet_duration = GetWLE( p_peek + i_skip ); i_skip += 2; + /* uint16_t i_packet_duration = GetWLE( p_peek + i_skip ); */ i_skip += 2; i_packet_size_left = i_packet_length; @@@@ -501,13 +520,13 @@@@ static int DemuxPacket( demux_t *p_demux int i_packet_keyframe; unsigned int i_stream_number; - int i_media_object_number; + int i_media_object_number = 0; int i_media_object_offset; - int i_replicated_data_length; - int i_payload_data_length; + int i_replicated_data_length = 0; + int i_payload_data_length = 0; int i_payload_data_pos; int i_sub_payload_data_length; - int i_tmp; + int i_tmp = 0; mtime_t i_pts; mtime_t i_pts_delta; @@@@ -521,9 +540,12 @@@@ static int DemuxPacket( demux_t *p_demux i_packet_keyframe = p_peek[i_skip] >> 7; i_stream_number = p_peek[i_skip++] & 0x7f; - GETVALUE2b( i_packet_property >> 4, i_media_object_number, 0 ); - GETVALUE2b( i_packet_property >> 2, i_tmp, 0 ); - GETVALUE2b( i_packet_property, i_replicated_data_length, 0 ); + if (GetValue2b(&i_media_object_number, p_peek, &i_skip, peek_size - i_skip, i_packet_property >> 4) < 0) + break; + if (GetValue2b(&i_tmp, p_peek, &i_skip, peek_size - i_skip, i_packet_property >> 2) < 0) + break; + if (GetValue2b(&i_replicated_data_length, p_peek, &i_skip, peek_size - i_skip, i_packet_property) < 0) + break; if( i_replicated_data_length > 1 ) // should be at least 8 bytes { @@@@ -558,7 +580,9 @@@@ static int DemuxPacket( demux_t *p_demux i_pts = __MAX( i_pts - p_sys->p_fp->i_preroll * 1000, 0 ); if( b_packet_multiple_payload ) { - GETVALUE2b( i_payload_length_type, i_payload_data_length, 0 ); + i_payload_data_length = 0; + if (GetValue2b(&i_payload_data_length, p_peek, &i_skip, peek_size - i_skip, i_payload_length_type) < 0) + break; } else { @@@@ -645,6 +669,7 @@@@ static int DemuxPacket( demux_t *p_demux return 0; } i_packet_size_left -= i_read; + peek_size = 0; p_frag->p_buffer += i_skip; p_frag->i_buffer -= i_skip; @@@@ -672,6 +697,7 @@@@ static int DemuxPacket( demux_t *p_demux msg_Warn( p_demux, "cannot peek, EOF ?" ); return 0; } + peek_size = i_packet_size_left; } } } @ 1.1 log @add patch from upstream to fix Buffer Overflow in ASF Demuxer bump PKGREV @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-SA1302 was added on branch pkgsrc-2012Q4 on 2013-02-02 07:53:09 +0000 @ text @d1 159 @ 1.1.2.2 log @Pullup ticket #4048 - requested by drochner multimedia/vlc2: security patch Revisions pulled up: - multimedia/vlc2/Makefile 1.23 via patch - multimedia/vlc2/distinfo 1.14 - multimedia/vlc2/patches/patch-SA1302 1.1 --- Module Name: pkgsrc Committed By: drochner Date: Wed Jan 30 15:52:19 UTC 2013 Modified Files: pkgsrc/multimedia/vlc2: Makefile distinfo Added Files: pkgsrc/multimedia/vlc2/patches: patch-SA1302 Log Message: add patch from upstream to fix Buffer Overflow in ASF Demuxer bump PKGREV @ text @a0 159 $NetBSD$ upstream commit 330ba2296cd6841d0e8f0be40ef84966d5540fd3 --- modules/demux/asf/asf.c.orig 2012-08-28 17:25:19.000000000 +0000 +++ modules/demux/asf/asf.c @@@@ -383,15 +383,30 @@@@ static mtime_t GetMoviePTS( demux_sys_t return i_time; } -#define GETVALUE2b( bits, var, def ) \ - switch( (bits)&0x03 ) \ - { \ - case 1: var = p_peek[i_skip]; i_skip++; break; \ - case 2: var = GetWLE( p_peek + i_skip ); i_skip+= 2; break; \ - case 3: var = GetDWLE( p_peek + i_skip ); i_skip+= 4; break; \ - case 0: \ - default: var = def; break;\ +static inline int GetValue2b(int *var, const uint8_t *p, int *skip, int left, int bits) +{ + switch(bits&0x03) + { + case 1: + if (left < 1) + return -1; + *var = p[*skip]; *skip += 1; + return 0; + case 2: + if (left < 2) + return -1; + *var = GetWLE(&p[*skip]); *skip += 2; + return 0; + case 3: + if (left < 4) + return -1; + *var = GetDWLE(&p[*skip]); *skip += 4; + return 0; + case 0: + default: + return 0; } +} static int DemuxPacket( demux_t *p_demux ) { @@@@ -405,15 +420,15 @@@@ static int DemuxPacket( demux_t *p_demux int i_packet_property; int b_packet_multiple_payload; - int i_packet_length; - int i_packet_sequence; - int i_packet_padding_length; + int i_packet_length = i_data_packet_min; + int i_packet_sequence = 0; + int i_packet_padding_length = 0; uint32_t i_packet_send_time; - uint16_t i_packet_duration; int i_payload; int i_payload_count; int i_payload_length_type; + int peek_size; if( stream_Peek( p_demux->s, &p_peek,i_data_packet_min)> 5, i_packet_length, i_data_packet_min ); - GETVALUE2b( i_packet_flags >> 1, i_packet_sequence, 0 ); - GETVALUE2b( i_packet_flags >> 3, i_packet_padding_length, 0 ); + if (GetValue2b(&i_packet_length, p_peek, &i_skip, peek_size - i_skip, i_packet_flags >> 5) < 0) + goto loop_error_recovery; + if (GetValue2b(&i_packet_sequence, p_peek, &i_skip, peek_size - i_skip, i_packet_flags >> 1) < 0) + goto loop_error_recovery; + if (GetValue2b(&i_packet_padding_length, p_peek, &i_skip, peek_size - i_skip, i_packet_flags >> 3) < 0) + goto loop_error_recovery; if( i_packet_padding_length > i_packet_length ) { @@@@ -479,7 +498,7 @@@@ static int DemuxPacket( demux_t *p_demux } i_packet_send_time = GetDWLE( p_peek + i_skip ); i_skip += 4; - i_packet_duration = GetWLE( p_peek + i_skip ); i_skip += 2; + /* uint16_t i_packet_duration = GetWLE( p_peek + i_skip ); */ i_skip += 2; i_packet_size_left = i_packet_length; @@@@ -501,13 +520,13 @@@@ static int DemuxPacket( demux_t *p_demux int i_packet_keyframe; unsigned int i_stream_number; - int i_media_object_number; + int i_media_object_number = 0; int i_media_object_offset; - int i_replicated_data_length; - int i_payload_data_length; + int i_replicated_data_length = 0; + int i_payload_data_length = 0; int i_payload_data_pos; int i_sub_payload_data_length; - int i_tmp; + int i_tmp = 0; mtime_t i_pts; mtime_t i_pts_delta; @@@@ -521,9 +540,12 @@@@ static int DemuxPacket( demux_t *p_demux i_packet_keyframe = p_peek[i_skip] >> 7; i_stream_number = p_peek[i_skip++] & 0x7f; - GETVALUE2b( i_packet_property >> 4, i_media_object_number, 0 ); - GETVALUE2b( i_packet_property >> 2, i_tmp, 0 ); - GETVALUE2b( i_packet_property, i_replicated_data_length, 0 ); + if (GetValue2b(&i_media_object_number, p_peek, &i_skip, peek_size - i_skip, i_packet_property >> 4) < 0) + break; + if (GetValue2b(&i_tmp, p_peek, &i_skip, peek_size - i_skip, i_packet_property >> 2) < 0) + break; + if (GetValue2b(&i_replicated_data_length, p_peek, &i_skip, peek_size - i_skip, i_packet_property) < 0) + break; if( i_replicated_data_length > 1 ) // should be at least 8 bytes { @@@@ -558,7 +580,9 @@@@ static int DemuxPacket( demux_t *p_demux i_pts = __MAX( i_pts - p_sys->p_fp->i_preroll * 1000, 0 ); if( b_packet_multiple_payload ) { - GETVALUE2b( i_payload_length_type, i_payload_data_length, 0 ); + i_payload_data_length = 0; + if (GetValue2b(&i_payload_data_length, p_peek, &i_skip, peek_size - i_skip, i_payload_length_type) < 0) + break; } else { @@@@ -645,6 +669,7 @@@@ static int DemuxPacket( demux_t *p_demux return 0; } i_packet_size_left -= i_read; + peek_size = 0; p_frag->p_buffer += i_skip; p_frag->i_buffer -= i_skip; @@@@ -672,6 +697,7 @@@@ static int DemuxPacket( demux_t *p_demux msg_Warn( p_demux, "cannot peek, EOF ?" ); return 0; } + peek_size = i_packet_size_left; } } } @