- Fix multiple vulnerabilities

- Bump PORTREVISION

Note:
	Two integer overflow errors exist within the "Audible::Tag::readTag()"
	function in src/metadata/audible/audibletag.cpp. These can be exploited
	to cause heap-based buffer overflows via specially crafted Audible Audio
	files.

	Two errors within the "Audible::Tag::readTag()" function in
	src/metadata/audible/audibletag.cpp can be exploited to corrupt
	arbitrary memory via specially crafted Audible Audio files.

PR:		132938
Submitted by:	Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Approved by:	makc (maintainer)
Security:	http://www.vuxml.org/freebsd/6bb6188c-17b2-11de-ae4d-0030843d3802.html

2 files changed, 86 insertions, 1 deletions

diff --git a/audio/amarok/Makefile b/audio/amarok/Makefile
index d4a65f3e3b2c..2493552f8c3c 100644
--- a/audio/amarok/Makefile
+++ b/audio/amarok/Makefile
@@ -6,7 +6,7 @@
 
 PORTNAME=	amarok
 PORTVERSION=	1.4.10
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	audio kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	stable/${PORTNAME}/${PORTVERSION}/src
diff --git a/audio/amarok/files/patch-tkadv2009-002 b/audio/amarok/files/patch-tkadv2009-002
new file mode 100644
index 000000000000..7e4cb0cdeceb
--- /dev/null
+++ b/audio/amarok/files/patch-tkadv2009-002
@@ -0,0 +1,85 @@
+--- amarok/src/metadata/audible/audibletag.cpp	2009/01/09 17:36:52	908414
++++ amarok/src/metadata/audible/audibletag.cpp	2009/01/09 17:38:50	908415
+@@ -71,7 +71,8 @@
+ {
+     char buf[1023];
+     fseek(fp, OFF_PRODUCT_ID, SEEK_SET);
+-    fread(buf, strlen("product_id"), 1, fp);
++    if (fread(buf, strlen("product_id"), 1, fp) != 1)
++        return;
+     if(memcmp(buf, "product_id", strlen("product_id")))
+     {
+         buf[20]='\0';
+@@ -130,24 +131,65 @@
+ 
+ bool Audible::Tag::readTag( FILE *fp, char **name, char **value)
+ {
++    // arbitrary value that has to be smaller than 2^32-1 and that should be large enough for all tags                                                                                         
++    const uint32_t maxtaglen = 100000;    
++
+     uint32_t nlen;
+-    fread(&nlen, sizeof(nlen), 1, fp);
++    if (fread(&nlen, sizeof(nlen), 1, fp) != 1)
++        return false;
+     nlen = ntohl(nlen);
+     //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen);
+-    *name = new char[nlen+1];
+-    (*name)[nlen] = '\0';
++    if (nlen > maxtaglen)
++        return false;
+ 
+     uint32_t vlen;
+-    fread(&vlen, sizeof(vlen), 1, fp);
++    if (fread(&vlen, sizeof(vlen), 1, fp) != 1)
++        return false;
+     vlen = ntohl(vlen);
+     //fprintf(stderr, "tag len=%x\n", (unsigned)vlen);
++    if (vlen > maxtaglen)
++        return false;
++
++    *name = new char[nlen+1];
++    if (!*name)
++        return false;
++        
+     *value = new char[vlen+1];
++    if (!*value)
++    {
++        delete[] *name;
++        *name = 0;
++        return false;
++    }
++
++    (*name)[nlen] = '\0';
+     (*value)[vlen] = '\0';
+ 
+-    fread(*name, nlen, 1, fp);
+-    fread(*value, vlen, 1, fp);
++    if (fread(*name, nlen, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
++    if (fread(*value, vlen, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
+     char lasttag;
+-    fread(&lasttag, 1, 1, fp);
++    if (fread(&lasttag, 1, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
+     //fprintf(stderr, "%s: \"%s\"\n", *name, *value);
+ 
+     m_tagsEndOffset += 2 * 4 + nlen + vlen + 1;