diff options
author | vd <vd@FreeBSD.org> | 2006-03-09 16:42:28 +0800 |
---|---|---|
committer | vd <vd@FreeBSD.org> | 2006-03-09 16:42:28 +0800 |
commit | def365c11aa012e939270b4554670b98a57e2d6a (patch) | |
tree | 6574894d0e924555f8d2879cdc7fd8027269ec25 | |
parent | 2fa08615a25eda320401d3d5e7f5e93cb3ff90ae (diff) | |
download | freebsd-ports-gnome-def365c11aa012e939270b4554670b98a57e2d6a.tar.gz freebsd-ports-gnome-def365c11aa012e939270b4554670b98a57e2d6a.tar.zst freebsd-ports-gnome-def365c11aa012e939270b4554670b98a57e2d6a.zip |
Fix mplayer vulnerability (heap overflow) in the ASF demuxer
Arbitrary remote code execution under the user ID running the player
when streaming an ASF file from a malicious server.
PR: ports/93767
Submitted by: "Thomas E. Zander" <riggs@rrr.de> (maintainer)
Approved by: portmgr (erwin)
Obtained from: mplayer CVS repo: http://www1.mplayerhq.hu/cgi-bin/cvsweb.cgi/main/libmpdemux/demuxer.h.diff?r2=1.90&r1=1.87&f=u
Security: heap overflow in the ASF demuxer (http://www.mplayerhq.hu/design7/news.html#vuln13, http://bugs.gentoo.org/show_bug.cgi?id=122029)
-rw-r--r-- | multimedia/mplayer/Makefile | 2 | ||||
-rw-r--r-- | multimedia/mplayer/files/patch-libmpdemux_demuxer.h | 37 |
2 files changed, 38 insertions, 1 deletions
diff --git a/multimedia/mplayer/Makefile b/multimedia/mplayer/Makefile index 851ea012ea4a..b0ac88fec333 100644 --- a/multimedia/mplayer/Makefile +++ b/multimedia/mplayer/Makefile @@ -270,7 +270,7 @@ PORTNAME= mplayer PORTVERSION= 0.99.7 -PORTREVISION= 10 +PORTREVISION= 11 CATEGORIES= multimedia audio ipv6 MASTER_SITES= http://www1.mplayerhq.hu/MPlayer/releases/ \ http://www2.mplayerhq.hu/MPlayer/releases/ \ diff --git a/multimedia/mplayer/files/patch-libmpdemux_demuxer.h b/multimedia/mplayer/files/patch-libmpdemux_demuxer.h new file mode 100644 index 000000000000..ea9ec6d15bd9 --- /dev/null +++ b/multimedia/mplayer/files/patch-libmpdemux_demuxer.h @@ -0,0 +1,37 @@ +--- libmpdemux/demuxer.h 9 Feb 2006 19:39:51 -0000 1.87 ++++ libmpdemux/demuxer.h 12 Feb 2006 17:01:30 -0000 1.90 +@@ -190,17 +190,19 @@ + dp->flags=0; + dp->refcount=1; + dp->master=NULL; +- dp->buffer=len?(unsigned char*)malloc(len+8):NULL; +- if(len) memset(dp->buffer+len,0,8); ++ dp->buffer=NULL; ++ if (len > 0 && (dp->buffer = (unsigned char *)malloc(len + 8))) ++ memset(dp->buffer + len, 0, 8); ++ else ++ dp->len = 0; + return dp; + } + + inline static void resize_demux_packet(demux_packet_t* dp, int len) + { +- if(len) ++ if(len > 0) + { + dp->buffer=(unsigned char *)realloc(dp->buffer,len+8); +- memset(dp->buffer+len,0,8); + } + else + { +@@ -208,6 +210,10 @@ + dp->buffer=NULL; + } + dp->len=len; ++ if (dp->buffer) ++ memset(dp->buffer + len, 0, 8); ++ else ++ dp->len = 0; + } + + inline static demux_packet_t* clone_demux_packet(demux_packet_t* pack){ |