Pullup ticket 317 - requested by Lubomir Sedlacik

security fix for xine-lib Apply a manual patch that fixes the vulnerabilities noted in http://www.xinehq.de/index.php/security/XSA-2004-6
jsonn · Feb 28, 2005 · 303d7ef · 303d7ef
1 parent fdc255c
commit 303d7ef
Show file tree

Hide file tree

Showing 4 changed files with 134 additions and 3 deletions.
diff --git a/multimedia/xine-lib/Makefile b/multimedia/xine-lib/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.14.2.1 2005/01/07 01:22:20 salo Exp $
+# $NetBSD: Makefile,v 1.14.2.2 2005/02/28 21:11:50 snj Exp $
 #
 
 .include "Makefile.common"
 
-PKGREVISION=		2
+PKGREVISION=		3
 
 .if ${MACHINE_ARCH} == "i386"
 DEPENDS+=       	win32-codecs>=011227:../../multimedia/win32-codecs

diff --git a/multimedia/xine-lib/distinfo b/multimedia/xine-lib/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.9.2.1 2005/01/07 01:22:20 salo Exp $
+$NetBSD: distinfo,v 1.9.2.2 2005/02/28 21:11:50 snj Exp $
 
 SHA1 (xine-lib-1-rc6a.tar.gz) = 9359543ae3cc34f25af08ef42cbd13f08cae8398
 Size (xine-lib-1-rc6a.tar.gz) = 7003035 bytes
@@ -22,3 +22,5 @@ SHA1 (patch-au) = 569ac1d00402eb3679bf99f0afe5832f425b3b0e
 SHA1 (patch-av) = 56f462e6091a72e87544ece689557d60fbb749aa
 SHA1 (patch-ba) = a527975fe9675358090bddc1361b707aa122f89b
 SHA1 (patch-bb) = fcfdf5dae066837cb35e51a5d114c366a5b3a7b2
+SHA1 (patch-bc) = c07129e89ed5b958c9361b864e227cc7569e4a33
+SHA1 (patch-bd) = 2af09a00178b2cc499f98a454667e9dbfcc8e072
diff --git a/multimedia/xine-lib/patches/patch-bc b/multimedia/xine-lib/patches/patch-bc
@@ -0,0 +1,102 @@
+$NetBSD: patch-bc,v 1.2.2.2 2005/02/28 21:11:50 snj Exp $
+
+--- src/input/pnm.c	2003/12/12 22:53:15	1.20
++++ src/input/pnm.c	2004/12/15 12:53:36	1.21
+@@ -205,16 +205,21 @@
+                          char *data, int *need_response) {
+
+   unsigned int chunk_size;
+-  int n;
++  unsigned int n;
+   char *ptr;
+- 
++
++  if( max < PREAMBLE_SIZE )
++    return -1;
++    
+   /* get first PREAMBLE_SIZE bytes and ignore checksum */
+   _x_io_tcp_read (p->stream, p->s, data, CHECKSUM_SIZE);
+   if (data[0] == 0x72)
+     _x_io_tcp_read (p->stream, p->s, data, PREAMBLE_SIZE);
+   else
+     _x_io_tcp_read (p->stream, p->s, data+CHECKSUM_SIZE, PREAMBLE_SIZE-CHECKSUM_SIZE);
+-  
++
++  max -= PREAMBLE_SIZE;
++    
+   *chunk_type = be2me_32(*((uint32_t *)data));
+   chunk_size = be2me_32(*((uint32_t *)(data+4)));
+
+@@ -222,7 +227,11 @@
+     case PNA_TAG:
+       *need_response=0;
+       ptr=data+PREAMBLE_SIZE;
++
++      if( max < 1 )
++        return -1;
+       _x_io_tcp_read (p->stream, p->s, ptr++, 1);
++      max -= 1;
+
+       while(1) {
+ 	/* The pna chunk is devided into subchunks.
+@@ -235,17 +244,29 @@
+ 	 * if first byte is 'F', we got an error
+ 	 */
+
++        if( max < 2 )
++          return -1;
+         _x_io_tcp_read (p->stream, p->s, ptr, 2);
++        max -= 2;
++        
+ 	if (*ptr == 'X') /* checking for server message */
+ 	{
+ 	  xprintf(p->stream->xine, XINE_VERBOSITY_DEBUG, "input_pnm: got a message from server:\n");
++          if( max < 1 )
++            return -1;
+ 	  _x_io_tcp_read (p->stream, p->s, ptr+2, 1);
++          max -= 1;
+
+ 	  /* two bytes of message length*/
+ 	  n=be2me_16(*(uint16_t*)(ptr+1));
+
+ 	  /* message itself */
++          if( max < n )
++            return -1;
+ 	  _x_io_tcp_read (p->stream, p->s, ptr+3, n);
++          max -= n;
++          if( max < 1 )
++            return -1;
+ 	  ptr[3+n]=0;
+ 	  xprintf(p->stream->xine, XINE_VERBOSITY_DEBUG, "%s\n", ptr+3);
+ 	  return -1;
+@@ -265,10 +286,15 @@
+ 	}
+ 	if (*ptr != 0x4f) break;
+ 	n=ptr[1];
+-	_x_io_tcp_read (p->stream, p->s, ptr+2, n);
++        if( max < n )
++          return -1;
++        _x_io_tcp_read (p->stream, p->s, ptr+2, n);
+ 	ptr+=(n+2);
++        max-=n;
+       }
+       /* the checksum of the next chunk is ignored here */
++      if( max < 1 )
++        return -1;
+       _x_io_tcp_read (p->stream, p->s, ptr+2, 1);
+       ptr+=3;
+       chunk_size=ptr-data;
+@@ -278,11 +304,11 @@
+     case PROP_TAG:
+     case MDPR_TAG:
+     case CONT_TAG:
+-      if (chunk_size > max) {
++      if (chunk_size > max || chunk_size < PREAMBLE_SIZE) {
+         xprintf(p->stream->xine, XINE_VERBOSITY_DEBUG, "error: max chunk size exeeded (max was 0x%04x)\n", max);
++#ifdef LOG
+ 	/* reading some bytes for debugging */
+         n=_x_io_tcp_read (p->stream, p->s, &data[PREAMBLE_SIZE], 0x100 - PREAMBLE_SIZE);
+-#ifdef LOG
+         xine_hexdump(data,n+PREAMBLE_SIZE);
+ #endif
+         return -1;
diff --git a/multimedia/xine-lib/patches/patch-bd b/multimedia/xine-lib/patches/patch-bd
@@ -0,0 +1,27 @@
+$NetBSD: patch-bd,v 1.1.2.2 2005/02/28 21:11:50 snj Exp $
+
+--- src/input/libreal/real.c	2004/09/08 15:09:30	1.19
++++ src/input/libreal/real.c	2004/12/15 12:53:46	1.20
+@@ -604,6 +604,8 @@
+   return (n <= 0) ? 0 : n+12;
+ }
+
++//! maximum size of the rtsp description, must be < INT_MAX
++#define MAX_DESC_BUF (20 * 1024 * 1024)
+ rmff_header_t  *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t bandwidth) {
+
+   char *description=NULL;
+@@ -652,6 +654,13 @@
+   else
+     size=atoi(rtsp_search_answers(rtsp_session,"Content-length"));
+
++  if (size > MAX_DESC_BUF) {
++    printf("real: Content-length for description too big (> %uMB)!\n",
++           MAX_DESC_BUF/(1024*1024) );
++    xine_buffer_free(buf);
++    return NULL;
++  }
++
+   if (!rtsp_search_answers(rtsp_session,"ETag"))
+     lprintf("real: got no ETag!\n");
+   else