aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorvd <vd@FreeBSD.org>2006-03-09 16:42:28 +0800
committervd <vd@FreeBSD.org>2006-03-09 16:42:28 +0800
commitdef365c11aa012e939270b4554670b98a57e2d6a (patch)
tree6574894d0e924555f8d2879cdc7fd8027269ec25
parent2fa08615a25eda320401d3d5e7f5e93cb3ff90ae (diff)
downloadfreebsd-ports-gnome-def365c11aa012e939270b4554670b98a57e2d6a.tar.gz
freebsd-ports-gnome-def365c11aa012e939270b4554670b98a57e2d6a.tar.zst
freebsd-ports-gnome-def365c11aa012e939270b4554670b98a57e2d6a.zip
Fix mplayer vulnerability (heap overflow) in the ASF demuxer
Arbitrary remote code execution under the user ID running the player when streaming an ASF file from a malicious server. PR: ports/93767 Submitted by: "Thomas E. Zander" <riggs@rrr.de> (maintainer) Approved by: portmgr (erwin) Obtained from: mplayer CVS repo: http://www1.mplayerhq.hu/cgi-bin/cvsweb.cgi/main/libmpdemux/demuxer.h.diff?r2=1.90&r1=1.87&f=u Security: heap overflow in the ASF demuxer (http://www.mplayerhq.hu/design7/news.html#vuln13, http://bugs.gentoo.org/show_bug.cgi?id=122029)
-rw-r--r--multimedia/mplayer/Makefile2
-rw-r--r--multimedia/mplayer/files/patch-libmpdemux_demuxer.h37
2 files changed, 38 insertions, 1 deletions
diff --git a/multimedia/mplayer/Makefile b/multimedia/mplayer/Makefile
index 851ea012ea4a..b0ac88fec333 100644
--- a/multimedia/mplayer/Makefile
+++ b/multimedia/mplayer/Makefile
@@ -270,7 +270,7 @@
PORTNAME= mplayer
PORTVERSION= 0.99.7
-PORTREVISION= 10
+PORTREVISION= 11
CATEGORIES= multimedia audio ipv6
MASTER_SITES= http://www1.mplayerhq.hu/MPlayer/releases/ \
http://www2.mplayerhq.hu/MPlayer/releases/ \
diff --git a/multimedia/mplayer/files/patch-libmpdemux_demuxer.h b/multimedia/mplayer/files/patch-libmpdemux_demuxer.h
new file mode 100644
index 000000000000..ea9ec6d15bd9
--- /dev/null
+++ b/multimedia/mplayer/files/patch-libmpdemux_demuxer.h
@@ -0,0 +1,37 @@
+--- libmpdemux/demuxer.h 9 Feb 2006 19:39:51 -0000 1.87
++++ libmpdemux/demuxer.h 12 Feb 2006 17:01:30 -0000 1.90
+@@ -190,17 +190,19 @@
+ dp->flags=0;
+ dp->refcount=1;
+ dp->master=NULL;
+- dp->buffer=len?(unsigned char*)malloc(len+8):NULL;
+- if(len) memset(dp->buffer+len,0,8);
++ dp->buffer=NULL;
++ if (len > 0 && (dp->buffer = (unsigned char *)malloc(len + 8)))
++ memset(dp->buffer + len, 0, 8);
++ else
++ dp->len = 0;
+ return dp;
+ }
+
+ inline static void resize_demux_packet(demux_packet_t* dp, int len)
+ {
+- if(len)
++ if(len > 0)
+ {
+ dp->buffer=(unsigned char *)realloc(dp->buffer,len+8);
+- memset(dp->buffer+len,0,8);
+ }
+ else
+ {
+@@ -208,6 +210,10 @@
+ dp->buffer=NULL;
+ }
+ dp->len=len;
++ if (dp->buffer)
++ memset(dp->buffer + len, 0, 8);
++ else
++ dp->len = 0;
+ }
+
+ inline static demux_packet_t* clone_demux_packet(demux_packet_t* pack){