head 1.7; access; symbols pkgsrc-2013Q2:1.7.0.6 pkgsrc-2013Q2-base:1.7 pkgsrc-2012Q4:1.7.0.4 pkgsrc-2012Q4-base:1.7 pkgsrc-2011Q4:1.7.0.2 pkgsrc-2011Q4-base:1.7 pkgsrc-2011Q3:1.6.0.16 pkgsrc-2011Q3-base:1.6 pkgsrc-2011Q2:1.6.0.14 pkgsrc-2011Q2-base:1.6 pkgsrc-2011Q1:1.6.0.12 pkgsrc-2011Q1-base:1.6 pkgsrc-2010Q4:1.6.0.10 pkgsrc-2010Q4-base:1.6 pkgsrc-2010Q3:1.6.0.8 pkgsrc-2010Q3-base:1.6 pkgsrc-2010Q2:1.6.0.6 pkgsrc-2010Q2-base:1.6 pkgsrc-2010Q1:1.6.0.4 pkgsrc-2010Q1-base:1.6 pkgsrc-2009Q4:1.6.0.2 pkgsrc-2009Q4-base:1.6 pkgsrc-2009Q3:1.5.0.6 pkgsrc-2009Q3-base:1.5 pkgsrc-2009Q2:1.5.0.4 pkgsrc-2009Q2-base:1.5 pkgsrc-2009Q1:1.5.0.2 pkgsrc-2009Q1-base:1.5 pkgsrc-2008Q4:1.4.0.8 pkgsrc-2008Q4-base:1.4 pkgsrc-2008Q3:1.4.0.6 pkgsrc-2008Q3-base:1.4 cube-native-xorg:1.4.0.4 cube-native-xorg-base:1.4 pkgsrc-2008Q2:1.4.0.2 pkgsrc-2008Q2-base:1.4 pkgsrc-2008Q1:1.3.0.2 pkgsrc-2008Q1-base:1.3; locks; strict; comment @# @; 1.7 date 2011.12.25.03.24.10; author sbd; state dead; branches; next 1.6; 1.6 date 2009.12.09.10.13.03; author drochner; state Exp; branches; next 1.5; 1.5 date 2009.02.19.12.58.03; author drochner; state Exp; branches; next 1.4; 1.4 date 2008.04.10.11.48.58; author drochner; state dead; branches; next 1.3; 1.3 date 2008.03.19.16.09.35; author drochner; state Exp; branches; next 1.2; 1.2 date 2008.02.01.20.35.10; author drochner; state dead; branches; next 1.1; 1.1 date 2008.01.11.16.05.28; author drochner; state Exp; branches; next ; desc @@ 1.7 log @Because automake is now being called automake source files (not output file) must be patched. @ text @$NetBSD: patch-ga,v 1.6 2009/12/09 10:13:03 drochner Exp $ --- Makefile.in.orig 2009-12-01 02:53:42.000000000 +0100 +++ Makefile.in @@@@ -1049,8 +1049,8 @@@@ maintainer-clean-generic: maintainer-clean-generic-hook: rm -f config.status -$(top_srcdir)/configure: $(am__configure_deps) - cd $(srcdir) && $(AUTOCONF) && $(SED) -i -e '/gnu_ld/,/;;/ s/--rpath \$${wl}/--rpath,/' $@@ +#$(top_srcdir)/configure: $(am__configure_deps) +# cd $(srcdir) && $(AUTOCONF) && $(SED) -i -e '/gnu_ld/,/;;/ s/--rpath \$${wl}/--rpath,/' $@@ # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. @ 1.6 log @update to 1.1.17 changes: -improved Matroska support -UTF-16 fixes -hack for Apple film trailers -improved BluRay support -OpenBSD sndio support @ text @d1 1 a1 1 $NetBSD$ @ 1.5 log @update to 1.1.16.2 changes: * Build fixes related to ImageMagick 6.4 & later. * Fix an error in Matroska PTS calculation. * Some front ends hang due to the hang fixes in 1.1.16. Fix this by removing a break statement. * Fix broken size checks in various input plugins (ref. CVE-2008-5239). * More malloc checking (ref. CVE-2008-5240). * Fix race conditions in gapless_switch (ref. kde bug #180339) * Fix a possible integer overflow in the 4XM demuxer. (TKADV2009-004.txt) pkgsrc notes: -the 4xm fix upstream is wrong, do it better (patch-ax) -filter out --no-undefined linker options on NetBSD<5 because this causes errors if shared modules are not linked against libc @ text @d3 1 a3 1 --- Makefile.in.orig 2009-02-17 15:37:58.000000000 +0100 d5 2 a6 2 @@@@ -951,8 +951,8 @@@@ maintainer-clean-generic: maintainer-clean-generic-hook: d13 1 a15 1 .NOEXPORT: @ 1.4 log @update to 1.1.11.1 changes: * Security fixes: - Array Indexing Vulnerability in sdpplin_parse(). (CVE-2008-0073) - integer overflow, possibly leading to buffer overflow, CVE-2008-1482 * Reworked the plugin directory naming so that external plugins don't have to be rebuilt for every release * Made the version parsing much more reliable; it wasn't properly coping with four-part version numbers * Fixed an off-by-one in the FLAC security fix patch. This breakage was causing failure to play some files * Support 16-bit big-endian DTS audio * Improved frame snapshot API. (ABI extension.) * Re-add support for # (stream parameter separator) in raw filenames * Fixed long delay when closing stream on dual core systems pkgsrc note: CVE-2008-0073 was already fixed by patch @ text @d1 1 a1 1 $NetBSD: patch-ga,v 1.3 2008/03/19 16:09:35 drochner Exp $ d3 5 a7 38 --- src/input/libreal/sdpplin.c.orig 2008-03-19 16:33:16.000000000 +0100 +++ src/input/libreal/sdpplin.c @@@@ -143,7 +143,14 @@@@ static sdpplin_stream_t *sdpplin_parse_s handled=0; if(filter(*data,"a=control:streamid=",&buf)) { - desc->stream_id=atoi(buf); + /* This way negative values are mapped to unfeasibly high + * values, and will be discarded afterward + */ + unsigned long tmp = strtoul(buf, NULL, 10); + if ( tmp > UINT16_MAX ) + lprintf("stream id out of bound: %lu\n", tmp); + else + desc->stream_id=tmp; handled=1; *data=nl(*data); } @@@@ -199,7 +206,7 @@@@ static sdpplin_stream_t *sdpplin_parse_s if(filter(*data,"a=OpaqueData:buffer;",&buf)) { decoded = b64_decode(buf, decoded, &(desc->mlti_data_size)); if ( decoded != NULL ) { - desc->mlti_data = malloc(sizeof(char)*desc->mlti_data_size); + desc->mlti_data = calloc(desc->mlti_data_size, sizeof(char)); memcpy(desc->mlti_data, decoded, desc->mlti_data_size); handled=1; *data=nl(*data); @@@@ -252,7 +259,10 @@@@ sdpplin_t *sdpplin_parse(char *data) { } stream=sdpplin_parse_stream(&data); lprintf("got data for stream id %u\n", stream->stream_id); - desc->stream[stream->stream_id]=stream; + if ( stream->stream_id >= desc->stream_count ) + lprintf("stream id %u is greater than stream count %u\n", stream->stream_id, desc->stream_count); + else + desc->stream[stream->stream_id]=stream; continue; } d9 7 a15 18 @@@@ -293,8 +303,15 @@@@ sdpplin_t *sdpplin_parse(char *data) { } if(filter(data,"a=StreamCount:integer;",&buf)) { - desc->stream_count=atoi(buf); - desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count); + /* This way negative values are mapped to unfeasibly high + * values, and will be discarded afterward + */ + unsigned long tmp = strtoul(buf, NULL, 10); + if ( tmp > UINT16_MAX ) + lprintf("stream count out of bound: %lu\n", tmp); + else + desc->stream_count = tmp; + desc->stream = calloc(desc->stream_count, sizeof(sdpplin_stream_t*)); handled=1; data=nl(data); } @ 1.3 log @add patch from upstream to fix a buffer overflow in the SDP parser (CVE-2008-0073) bump PKGREVISION @ text @d1 1 a1 1 $NetBSD$ @ 1.2 log @update to 1.1.10 changes: This release contains a security fix (remotely-expoitable buffer overflow, CVE-2006-1664). (This is not the first time that that bug has been fixed?) It also fixes a few more recent bugs, such as the audio output problems in 1.1.9. (The fix for CVE-2008-0225 which we had patches for was included upstream too.) @ text @d1 1 a1 1 $NetBSD: patch-ga,v 1.1 2008/01/11 16:05:28 drochner Exp $ d3 38 a40 65 --- src/input/libreal/rmff.c.orig 2008-01-01 14:30:08.000000000 +0100 +++ src/input/libreal/rmff.c @@@@ -35,9 +35,14 @@@@ * writes header data to a buffer */ -static void rmff_dump_fileheader(rmff_fileheader_t *fileheader, char *buffer) { +static int rmff_dump_fileheader(rmff_fileheader_t *fileheader, uint8_t *buffer, +int bufsize) { + + if (!fileheader) return 0; + + if (bufsize < RMFF_FILEHEADER_SIZE) + return -1; - if (!fileheader) return; fileheader->object_id=_X_BE_32(&fileheader->object_id); fileheader->size=_X_BE_32(&fileheader->size); fileheader->object_version=_X_BE_16(&fileheader->object_version); @@@@ -53,11 +58,17 @@@@ static void rmff_dump_fileheader(rmff_fi fileheader->file_version=_X_BE_32(&fileheader->file_version); fileheader->num_headers=_X_BE_32(&fileheader->num_headers); fileheader->object_id=_X_BE_32(&fileheader->object_id); + + return RMFF_FILEHEADER_SIZE; } -static void rmff_dump_prop(rmff_prop_t *prop, char *buffer) { +static int rmff_dump_prop(rmff_prop_t *prop, uint8_t *buffer, int bufsize) { + + if (!prop) return 0; + + if (bufsize < RMFF_PROPHEADER_SIZE) + return -1; - if (!prop) return; prop->object_id=_X_BE_32(&prop->object_id); prop->size=_X_BE_32(&prop->size); prop->object_version=_X_BE_16(&prop->object_version); @@@@ -93,13 +104,20 @@@@ static void rmff_dump_prop(rmff_prop_t * prop->num_streams=_X_BE_16(&prop->num_streams); prop->flags=_X_BE_16(&prop->flags); prop->object_id=_X_BE_32(&prop->object_id); + + return RMFF_PROPHEADER_SIZE; } -static void rmff_dump_mdpr(rmff_mdpr_t *mdpr, char *buffer) { +static int rmff_dump_mdpr(rmff_mdpr_t *mdpr, uint8_t *buffer, int bufsize) { int s1, s2, s3; - if (!mdpr) return; + if (!mdpr) return 0; + + if (bufsize < RMFF_MDPRHEADER_SIZE + mdpr->type_specific_len + + mdpr->stream_name_size + mdpr->mime_type_size) + return -1; + mdpr->object_id=_X_BE_32(&mdpr->object_id); mdpr->size=_X_BE_32(&mdpr->size); mdpr->object_version=_X_BE_16(&mdpr->object_version); @@@@ -141,13 +159,19 @@@@ static void rmff_dump_mdpr(rmff_mdpr_t * mdpr->duration=_X_BE_32(&mdpr->duration); mdpr->object_id=_X_BE_32(&mdpr->object_id); d42 1 a42 85 + return RMFF_MDPRHEADER_SIZE + s1 + s2 + s3; } -static void rmff_dump_cont(rmff_cont_t *cont, char *buffer) { +static int rmff_dump_cont(rmff_cont_t *cont, uint8_t *buffer, int bufsize) { int p; - if (!cont) return; + if (!cont) return 0; + + if (bufsize < RMFF_CONTHEADER_SIZE + cont->title_len + cont->author_len + + cont->copyright_len + cont->comment_len) + return -1; + cont->object_id=_X_BE_32(&cont->object_id); cont->size=_X_BE_32(&cont->size); cont->object_version=_X_BE_16(&cont->object_version); @@@@ -181,11 +205,19 @@@@ static void rmff_dump_cont(rmff_cont_t * cont->size=_X_BE_32(&cont->size); cont->object_version=_X_BE_16(&cont->object_version); cont->object_id=_X_BE_32(&cont->object_id); + + return RMFF_CONTHEADER_SIZE + cont->title_len + cont->author_len + + cont->copyright_len + cont->comment_len; } -static void rmff_dump_dataheader(rmff_data_t *data, char *buffer) { +static int rmff_dump_dataheader(rmff_data_t *data, uint8_t *buffer, int +bufsize) { + + if (!data) return 0; + + if (bufsize < RMFF_DATAHEADER_SIZE) + return -1; - if (!data) return; data->object_id=_X_BE_32(&data->object_id); data->size=_X_BE_32(&data->size); data->object_version=_X_BE_16(&data->object_version); @@@@ -201,31 +233,43 @@@@ static void rmff_dump_dataheader(rmff_da data->size=_X_BE_32(&data->size); data->object_version=_X_BE_16(&data->object_version); data->object_id=_X_BE_32(&data->object_id); + + return RMFF_DATAHEADER_SIZE; } -int rmff_dump_header(rmff_header_t *h, char *buffer, int max) { +int rmff_dump_header(rmff_header_t *h, void *buf_gen, int max) { + uint8_t *buffer = buf_gen; - int written=0; + int written=0, size; rmff_mdpr_t **stream=h->streams; - rmff_dump_fileheader(h->fileheader, &buffer[written]); - written+=h->fileheader->size; - rmff_dump_prop(h->prop, &buffer[written]); - written+=h->prop->size; - rmff_dump_cont(h->cont, &buffer[written]); - written+=h->cont->size; + if ((size=rmff_dump_fileheader(h->fileheader, &buffer[written], max)) < 0) + return -1; + written+=size; + max -= size; + if ((size=rmff_dump_prop(h->prop, &buffer[written], max)) < 0) + return -1; + written+=size; + max -= size; + if ((size=rmff_dump_cont(h->cont, &buffer[written], max)) < 0) + return -1; + written+=size; + max -= size; if (stream) { while(*stream) { - rmff_dump_mdpr(*stream, &buffer[written]); - written+=(*stream)->size; + if ((size=rmff_dump_mdpr(*stream, &buffer[written], max)) < 0) + return -1; + written+=size; + max -= size; stream++; a43 1 } d45 15 a59 8 - rmff_dump_dataheader(h->data, &buffer[written]); - written+=18; + if ((size=rmff_dump_dataheader(h->data, &buffer[written], max)) < 0) + return -1; + written+=size; return written; } @ 1.1 log @update to 1.1.9 changes: There are improvements to DVB subtitle support and H.264 video, and fixes for MP3 playback, DVB, ivtv, Flash video streams and some playlist types (particularly XML ones). One significant fix is that the special "be nice to the user" '#' handling has been dropped since it seems to have been causing more problems than it fixes. pkgsrc note: a fix for CVE-2008-0225 (RTSP buffer overflow) is already included @ text @d1 1 a1 1 $NetBSD$ @