Pullup ticket 952 - requested by Lubomir Sedlacik

Security fix via patch for mplayer, gmplayer and mencoder. Module Name: pkgsrc Committed By: salo Date: Sat Dec 10 23:34:42 UTC 2005 Modified Files: pkgsrc/multimedia/gmplayer: Makefile distinfo pkgsrc/multimedia/mencoder: Makefile pkgsrc/multimedia/mplayer: Makefile pkgsrc/multimedia/mplayer-share: distinfo Added Files: pkgsrc/multimedia/mplayer-share/patches: patch-ai Log Message: Security fix for SA17892: "A vulnerability in FFmpeg libavcodec can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system." http://secunia.com/advisories/17892/ Fix from ffmpeg CVS repository, libavcodec/utils.c rev. 1.162: "default_get_buffer() cleanup fixes probably exploitable heap overflow heap overflow found by (Simon Kilvington)"
jsonn · Dec 12, 2005 · ca134d5 · ca134d5
1 parent d2de97c
commit ca134d5
Show file tree

Hide file tree

Showing 6 changed files with 92 additions and 8 deletions.
diff --git a/multimedia/gmplayer/Makefile b/multimedia/gmplayer/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.37 2005/08/27 06:59:52 dogcow Exp $
+# $NetBSD: Makefile,v 1.37.2.1 2005/12/12 13:18:47 seb Exp $
 
 #
 # NOTE: if you are updating both mplayer and gmplayer, you must ensure
@@ -9,7 +9,7 @@
 #
 
 PKGNAME=	gmplayer-${MPLAYER_PKG_VERSION}
-PKGREVISION=	1
+PKGREVISION=	4
 
 SKIN_SITES=	http://www.mplayerhq.hu/MPlayer/Skin/		\
 		ftp://ftp.mplayerhq.hu/MPlayer/Skin/		\

diff --git a/multimedia/gmplayer/distinfo b/multimedia/gmplayer/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.29 2005/09/02 10:52:09 rillig Exp $
+$NetBSD: distinfo,v 1.29.2.1 2005/12/12 13:18:47 seb Exp $
 
 SHA1 (gmplayer-1.0rc7-20050409/MPlayer-1.0pre7.tar.bz2) = df1e8d4f2f44d72c6f7989932f3b272e815ecb80
 RMD160 (gmplayer-1.0rc7-20050409/MPlayer-1.0pre7.tar.bz2) = a4bac10df287c4b134ea49b3bc9bf7fb0126cae6
@@ -70,6 +70,7 @@ SHA1 (patch-ad) = d705dd315e913593223b83e533c60a9620d34cc8
 SHA1 (patch-ae) = 601808d8c89cba68156fb3c95fe9fcfb8da4fca0
 SHA1 (patch-af) = 6eab8572b239f6ac7afc03ad6254a7c97f90663e
 SHA1 (patch-ag) = 9bc3466ef24970e3f26fc64601d9f2c27fa394d2
+SHA1 (patch-ai) = a884b7a23ff8b2c31e6190d2ba9989a8f0057a0c
 SHA1 (patch-da) = be092da4f854708c1ef47f10c26e361c095a6799
 SHA1 (patch-dc) = b11ef06a89f13e2ae5e013d569aa5acc99c770aa
 SHA1 (patch-dd) = e5b23b73a1e53e3185ecbac26042432395cd5e63

diff --git a/multimedia/mencoder/Makefile b/multimedia/mencoder/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.22 2005/08/27 06:59:52 dogcow Exp $
+# $NetBSD: Makefile,v 1.22.2.1 2005/12/12 13:18:47 seb Exp $
 
 PKGNAME=	mencoder-${MPLAYER_PKG_VERSION}
-PKGREVISION=	1
+PKGREVISION=	2
 
 COMMENT=	Simple movie encoder for MPlayer-playable movies
 

diff --git a/multimedia/mplayer-share/distinfo b/multimedia/mplayer-share/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.23 2005/08/27 06:59:52 dogcow Exp $
+$NetBSD: distinfo,v 1.23.2.1 2005/12/12 13:18:46 seb Exp $
 
 SHA1 (mplayer-1.0rc7/MPlayer-1.0pre7.tar.bz2) = df1e8d4f2f44d72c6f7989932f3b272e815ecb80
 RMD160 (mplayer-1.0rc7/MPlayer-1.0pre7.tar.bz2) = a4bac10df287c4b134ea49b3bc9bf7fb0126cae6
@@ -19,6 +19,7 @@ SHA1 (patch-ad) = d705dd315e913593223b83e533c60a9620d34cc8
 SHA1 (patch-ae) = 601808d8c89cba68156fb3c95fe9fcfb8da4fca0
 SHA1 (patch-af) = 6eab8572b239f6ac7afc03ad6254a7c97f90663e
 SHA1 (patch-ag) = 9bc3466ef24970e3f26fc64601d9f2c27fa394d2
+SHA1 (patch-ai) = a884b7a23ff8b2c31e6190d2ba9989a8f0057a0c
 SHA1 (patch-da) = be092da4f854708c1ef47f10c26e361c095a6799
 SHA1 (patch-dc) = b11ef06a89f13e2ae5e013d569aa5acc99c770aa
 SHA1 (patch-dd) = e5b23b73a1e53e3185ecbac26042432395cd5e63

diff --git a/multimedia/mplayer-share/patches/patch-ai b/multimedia/mplayer-share/patches/patch-ai
@@ -0,0 +1,82 @@
+$NetBSD: patch-ai,v 1.1.2.2 2005/12/12 13:18:47 seb Exp $
+
+Security fix for SA17892, from ffmpeg CVS repository.
+
+--- libavcodec/utils.c.orig	2005-04-16 22:41:13.000000000 +0200
++++ libavcodec/utils.c	2005-12-10 23:59:36.000000000 +0100
+@@ -276,49 +276,50 @@
+         buf->last_pic_num= *picture_number;
+     }else{
+         int h_chroma_shift, v_chroma_shift;
+-        int pixel_size;
++        int pixel_size, size[3];
++        AVPicture picture;
+
+         avcodec_get_chroma_sub_sample(s->pix_fmt, &h_chroma_shift, &v_chroma_shift);
+
+-        switch(s->pix_fmt){
+-        case PIX_FMT_RGB555:
+-        case PIX_FMT_RGB565:
+-        case PIX_FMT_YUV422:
+-        case PIX_FMT_UYVY422:
+-            pixel_size=2;
+-            break;
+-        case PIX_FMT_RGB24:
+-        case PIX_FMT_BGR24:
+-            pixel_size=3;
+-            break;
+-        case PIX_FMT_RGBA32:
+-            pixel_size=4;
+-            break;
+-        default:
+-            pixel_size=1;
+-        }
+-
+         avcodec_align_dimensions(s, &w, &h);
+
+         if(!(s->flags&CODEC_FLAG_EMU_EDGE)){
+             w+= EDGE_WIDTH*2;
+             h+= EDGE_WIDTH*2;
+         }
++        avpicture_fill(&picture, NULL, s->pix_fmt, w, h);
++        pixel_size= picture.linesize[0]*8 / w;
++//av_log(NULL, AV_LOG_ERROR, "%d %d %d %d\n", (int)picture.data[1], w, h, s->pix_fmt);
++        assert(pixel_size>=1);
++            //FIXME next ensures that linesize= 2^x uvlinesize, thats needed because some MC code assumes it
++        if(pixel_size == 3*8)
++            w= ALIGN(w, STRIDE_ALIGN<<h_chroma_shift);
++        else
++            w= ALIGN(pixel_size*w, STRIDE_ALIGN<<(h_chroma_shift+3)) / pixel_size;
++        size[1] = avpicture_fill(&picture, NULL, s->pix_fmt, w, h);
++        size[0] = picture.linesize[0] * h;
++        size[1] -= size[0];
++        if(picture.data[2])
++            size[1]= size[2]= size[1]/2;
++        else
++            size[2]= 0;
+
+         buf->last_pic_num= -256*256*256*64;
++        memset(buf->base, 0, sizeof(buf->base));
++        memset(buf->data, 0, sizeof(buf->data));
+
+-        for(i=0; i<3; i++){
++        for(i=0; i<3 && size[i]; i++){
+             const int h_shift= i==0 ? 0 : h_chroma_shift;
+             const int v_shift= i==0 ? 0 : v_chroma_shift;
+
+-            //FIXME next ensures that linesize= 2^x uvlinesize, thats needed because some MC code assumes it
+-            buf->linesize[i]= ALIGN(pixel_size*w>>h_shift, STRIDE_ALIGN<<(h_chroma_shift-h_shift)); 
++            buf->linesize[i]= picture.linesize[i];
+
+-            buf->base[i]= av_malloc((buf->linesize[i]*h>>v_shift)+16); //FIXME 16
++            buf->base[i]= av_malloc(size[i]+16); //FIXME 16
+             if(buf->base[i]==NULL) return -1;
+-            memset(buf->base[i], 128, buf->linesize[i]*h>>v_shift);
++            memset(buf->base[i], 128, size[i]);
+
+-            if(s->flags&CODEC_FLAG_EMU_EDGE)
++            // no edge if EDEG EMU or not planar YUV, we check for PAL8 redundantly to protect against a exploitable bug regression ...
++            if((s->flags&CODEC_FLAG_EMU_EDGE) || (s->pix_fmt == PIX_FMT_PAL8) || !size[2]) 
+                 buf->data[i] = buf->base[i];
+             else
+                 buf->data[i] = buf->base[i] + ALIGN((buf->linesize[i]*EDGE_WIDTH>>v_shift) + (EDGE_WIDTH>>h_shift), STRIDE_ALIGN);
diff --git a/multimedia/mplayer/Makefile b/multimedia/mplayer/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.20 2005/08/27 06:59:52 dogcow Exp $
+# $NetBSD: Makefile,v 1.20.2.1 2005/12/12 13:18:46 seb Exp $
 
 PKGNAME=	mplayer-${MPLAYER_PKG_VERSION}
-PKGREVISION=	2
+PKGREVISION=	6
 
 COMMENT=	Software-only MPEG-1/2/4 video decoder