Fix integer overflows (CVE-2007-4619) by backporting corresponding

fixes from FLAC 1.2.1. Reviewed by: miwi Approved by: portmgr (linimon) Security: ff65eecb-91e4-11dc-bd6c-0016179b2dd5
author: naddy <naddy@FreeBSD.org> 2007-11-13 22:28:29 +0800
committer: naddy <naddy@FreeBSD.org> 2007-11-13 22:28:29 +0800
commit: a153a7955e6006a293e0617ce0b12c767ee5b4f2 (patch)
tree: e1e2b3f2113364bf66732584b22b03ecf1de8eed /audio/xmms-flac
parent: d13ecdb78d72e664ebf289f1a723d4fe19a67564 (diff)
download: freebsd-ports-gnome-a153a7955e6006a293e0617ce0b12c767ee5b4f2.tar.gz
freebsd-ports-gnome-a153a7955e6006a293e0617ce0b12c767ee5b4f2.tar.zst
freebsd-ports-gnome-a153a7955e6006a293e0617ce0b12c767ee5b4f2.zip
8 files changed, 255 insertions, 3 deletions
diff --git a/audio/xmms-flac/Makefile b/audio/xmms-flac/Makefile
index 066bebc3236d..e8643e5c269a 100644
--- a/audio/xmms-flac/Makefile
+++ b/audio/xmms-flac/Makefile
@@ -7,11 +7,14 @@
 
 PORTNAME=	xmms-flac
 PORTVERSION=	1.1.2
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	audio
-MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
-MASTER_SITE_SUBDIR=	flac
+MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:S/$/:sf/} \
+		${MASTER_SITE_LOCAL:S/$/:local/}
+MASTER_SITE_SUBDIR=	flac/:sf naddy/:local
 DISTNAME=	flac-${PORTVERSION}
+DISTFILES=	${EXTRACT_ONLY}:sf flac-alloc.h:local
+EXTRACT_ONLY=	${DISTNAME}${EXTRACT_SUFX}
 
 MAINTAINER=	naddy@FreeBSD.org
 COMMENT=	XMMS input plugin for playing FLAC files
@@ -28,6 +31,9 @@ MAKE_ARGS=	LIBTOOL="${LIBTOOL} --tag=disable-static"
 MAKE_ENV=	MAKEOBJDIR=/nonexistent		# ignore ${WRKSRC}/obj
 MAKEFILE=	${FILESDIR}/Makefile
 
+post-extract:
+	@${CP} ${DISTDIR}/flac-alloc.h ${WRKSRC}/include/share/alloc.h
+
 # XXX
 post-install:
 	${RM} ${PREFIX}/lib/xmms/Input/libxmms-flac.la
diff --git a/audio/xmms-flac/distinfo b/audio/xmms-flac/distinfo
index c6618ce633a8..0928ac572faf 100644
--- a/audio/xmms-flac/distinfo
+++ b/audio/xmms-flac/distinfo
@@ -1,3 +1,6 @@
 MD5 (flac-1.1.2.tar.gz) = 2bfc127cdda02834d0491ab531a20960
 SHA256 (flac-1.1.2.tar.gz) = ce4f7d11b3c04a7368c916ca4abc284dd0c0256f461dfb7f07df1ab445e7a5c0
 SIZE (flac-1.1.2.tar.gz) = 1516235
+MD5 (flac-alloc.h) = 08891390039e2aee9bd4335f784467db
+SHA256 (flac-alloc.h) = da40afc663e5b3fe6dccd1a0f1c218b7ec02d3699d72b41d6978696896d7df98
+SIZE (flac-alloc.h) = 5697
diff --git a/audio/xmms-flac/files/patch-src_plugin__common_charset.c b/audio/xmms-flac/files/patch-src_plugin__common_charset.c
new file mode 100644
index 000000000000..ec73bd8e3042
--- /dev/null
+++ b/audio/xmms-flac/files/patch-src_plugin__common_charset.c
@@ -0,0 +1,25 @@
+
+$FreeBSD$
+
+--- src/plugin_common/charset.c.orig
++++ src/plugin_common/charset.c
+@@ -83,6 +83,8 @@
+ 	/* Due to a GLIBC bug, round outbuf_size up to a multiple of 4 */
+ 	/* + 1 for nul in case len == 1 */
+ 	outsize = ((length + 3) & ~3) + 1;
++	if(outsize < length) /* overflow check */
++		return NULL;
+ 	out = (char*)malloc(outsize);
+ 	outleft = outsize - 1;
+ 	outptr = out;
+@@ -95,6 +97,10 @@
+ 		{
+ 			case E2BIG:
+ 				used = outptr - out;
++				if((outsize - 1) * 2 + 1 <= outsize) { /* overflow check */
++					free(out);
++					return NULL;
++				}
+ 				outsize = (outsize - 1) * 2 + 1;
+ 				out = realloc(out, outsize);
+ 				outptr = out + used;
diff --git a/audio/xmms-flac/files/patch-src_plugin__common_tags.c b/audio/xmms-flac/files/patch-src_plugin__common_tags.c
new file mode 100644
index 000000000000..1439821d2f77
--- /dev/null
+++ b/audio/xmms-flac/files/patch-src_plugin__common_tags.c
@@ -0,0 +1,59 @@
+
+$FreeBSD$
+
+--- src/plugin_common/tags.c.orig
++++ src/plugin_common/tags.c
+@@ -23,6 +23,7 @@
+ #include "tags.h"
+ #include "FLAC/assert.h"
+ #include "FLAC/metadata.h"
++#include "share/alloc.h"
+ 
+ 
+ static __inline unsigned local__wide_strlen(const FLAC__uint16 *s)
+@@ -82,7 +83,7 @@
+ 	}
+ 
+ 	/* allocate */
+-	out = (FLAC__uint16*)malloc(chars * sizeof(FLAC__uint16));
++	out = (FLAC__uint16*)safe_malloc_mul_2op_(chars, /*times*/sizeof(FLAC__uint16));
+ 	if (0 == out) {
+ 		FLAC__ASSERT(0);
+ 		return 0;
+@@ -130,19 +131,23 @@
+ static char *local__convert_ucs2_to_utf8(const FLAC__uint16 *src, unsigned length)
+ {
+ 	char *out;
+-	unsigned len = 0;
++	unsigned len = 0, n;
+ 
+ 	FLAC__ASSERT(0 != src);
+ 
+ 	/* calculate length */
+ 	{
+ 		unsigned i;
+-		for (i = 0; i < length; i++)
+-			len += local__ucs2len(src[i]);
++		for (i = 0; i < length; i++) {
++			n += local__ucs2len(src[i]);
++			if(len + n < len) /* overflow check */
++				return 0;
++			len += n;
++		}
+ 	}
+ 
+ 	/* allocate */
+-	out = (char*)malloc(len * sizeof(char));
++	out = (char*)safe_malloc_mul_2op_(len, /*times*/sizeof(char));
+ 	if (0 == out)
+ 		return 0;
+ 
+@@ -265,7 +270,7 @@
+ 		const size_t value_len = strlen(value);
+ 		const size_t separator_len = strlen(separator);
+ 		FLAC__byte *new_entry;
+-		if(0 == (new_entry = (FLAC__byte*)realloc(entry->entry, entry->length + value_len + separator_len + 1)))
++		if(0 == (new_entry = (FLAC__byte*)safe_realloc_add_4op_(entry->entry, entry->length, /*+*/value_len, /*+*/separator_len, /*+*/1)))
+ 			return false;
+ 		memcpy(new_entry+entry->length, separator, separator_len);
+ 		entry->length += separator_len;
diff --git a/audio/xmms-flac/files/patch-src_plugin__xmms_plugin.c b/audio/xmms-flac/files/patch-src_plugin__xmms_plugin.c
index 9cc9f8ed6995..fc950fee81f4 100644
--- a/audio/xmms-flac/files/patch-src_plugin__xmms_plugin.c
+++ b/audio/xmms-flac/files/patch-src_plugin__xmms_plugin.c
@@ -16,3 +16,19 @@ $FreeBSD$
  	xmms_cfg_read_int(cfg, "flac", "stream.http_buffer_size", &flac_cfg.stream.http_buffer_size);
  	xmms_cfg_read_int(cfg, "flac", "stream.http_prebuffer", &flac_cfg.stream.http_prebuffer);
  	xmms_cfg_read_boolean(cfg, "flac", "stream.use_proxy", &flac_cfg.stream.use_proxy);
+@@ -425,8 +431,13 @@
+ 		if(title) {
+ 			if (source_to_decoder_type (filename) == DECODER_FILE) {
+ 				static const char *errtitle = "Invalid FLAC File: ";
+-				*title = g_malloc(strlen(errtitle) + 1 + strlen(filename) + 1 + 1);
+-				sprintf(*title, "%s\"%s\"", errtitle, filename);
++				if(strlen(errtitle) + 1 + strlen(filename) + 1 + 1 < strlen(filename)) { /* overflow check */
++					*title = NULL;
++				}
++				else {
++					*title = g_malloc(strlen(errtitle) + 1 + strlen(filename) + 1 + 1);
++					sprintf(*title, "%s\"%s\"", errtitle, filename);
++				}
+ 			} else {
+ 				*title = NULL;
+ 			}
diff --git a/audio/xmms-flac/files/patch-src_share_utf8_charset.c b/audio/xmms-flac/files/patch-src_share_utf8_charset.c
new file mode 100644
index 000000000000..109f3c8afafb
--- /dev/null
+++ b/audio/xmms-flac/files/patch-src_share_utf8_charset.c
@@ -0,0 +1,22 @@
+
+$FreeBSD$
+
+--- src/share/utf8/charset.c.orig
++++ src/share/utf8/charset.c
+@@ -35,6 +35,7 @@
+ 
+ #include <stdlib.h>
+ 
++#include "share/alloc.h"
+ #include "charset.h"
+ 
+ #include "charmaps.h"
+@@ -492,7 +493,7 @@
+   if (!charset1 || !charset2 )
+     return -1;
+ 
+-  tobuf = (char *)malloc(fromlen * charset2->max + 1);
++  tobuf = (char *)safe_malloc_mul2add_(fromlen, /*times*/charset2->max, /*+*/1);
+   if (!tobuf)
+     return -2;
+ 
diff --git a/audio/xmms-flac/files/patch-src_share_utf8_iconvert.c b/audio/xmms-flac/files/patch-src_share_utf8_iconvert.c
new file mode 100644
index 000000000000..755f1eaabd39
--- /dev/null
+++ b/audio/xmms-flac/files/patch-src_share_utf8_iconvert.c
@@ -0,0 +1,49 @@
+
+$FreeBSD$
+
+--- src/share/utf8/iconvert.c.orig
++++ src/share/utf8/iconvert.c
+@@ -27,6 +27,7 @@
+ #include <iconv.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include "share/alloc.h"
+ 
+ /*
+  * Convert data from one encoding to another. Return:
+@@ -79,7 +80,7 @@
+      * This is deliberately not a config option as people often
+      * change their iconv library without rebuilding applications.
+      */
+-    tocode1 = (char *)malloc(strlen(tocode) + 11);
++    tocode1 = (char *)safe_malloc_add_2op_(strlen(tocode), /*+*/11);
+     if (!tocode1)
+       goto fail;
+ 
+@@ -117,6 +118,8 @@
+       break;
+     if (obl < 6) {
+       /* Enlarge the buffer */
++      if(utflen*2 < utflen) /* overflow check */
++        goto fail;
+       utflen *= 2;
+       newbuf = (char *)realloc(utfbuf, utflen);
+       if (!newbuf)
+@@ -143,7 +146,7 @@
+       iconv_close(cd1);
+       return ret;
+     }
+-    newbuf = (char *)realloc(utfbuf, (ob - utfbuf) + 1);
++    newbuf = (char *)safe_realloc_add_2op_(utfbuf, (ob - utfbuf), /*+*/1);
+     if (!newbuf)
+       goto fail;
+     ob = (ob - utfbuf) + newbuf;
+@@ -194,7 +197,7 @@
+   outlen += ob - tbuf;
+ 
+   /* Convert from UTF-8 for real */
+-  outbuf = (char *)malloc(outlen + 1);
++  outbuf = (char *)safe_malloc_add_2op_(outlen, /*+*/1);
+   if (!outbuf)
+     goto fail;
+   ib = utfbuf;
diff --git a/audio/xmms-flac/files/patch-src_share_utf8_utf8.c b/audio/xmms-flac/files/patch-src_share_utf8_utf8.c
new file mode 100644
index 000000000000..ecb45334861a
--- /dev/null
+++ b/audio/xmms-flac/files/patch-src_share_utf8_utf8.c
@@ -0,0 +1,72 @@
+
+$FreeBSD$
+
+--- src/share/utf8/utf8.c.orig
++++ src/share/utf8/utf8.c
+@@ -28,6 +28,7 @@
+ #include <config.h>
+ #endif
+ 
++#include "share/alloc.h"
+ #include "utf8.h"
+ #include "charset.h"
+ 
+@@ -57,10 +58,13 @@
+         } else {
+             size += 3;
+         }
++        if(size+n < size) /* overflow check */
++            return NULL;
++        size += n;
+         c = unicode[index++];
+     }	
+ 
+-    out = malloc(size + 1);
++    out = safe_malloc_add_2op_(size, /*+*/1);
+     if (out == NULL)
+         return NULL;
+     index = 0;
+@@ -101,11 +105,15 @@
+         } else {
+             index += 1;
+         }
++        if(size + 1 == 0) /* overflow check */
++            return NULL;
+         size += 1;
+         c = utf8[index++];
+     }	
+ 
+-    out = malloc((size + 1) * sizeof(wchar_t));
++    if(size + 1 == 0) /* overflow check */
++        return NULL;
++    out = safe_malloc_mul_2op_((size + 1), /*times*/sizeof(wchar_t));
+     if (out == NULL)
+         return NULL;
+     index = 0;
+@@ -147,7 +155,7 @@
+ 		return -1;
+ 	}
+ 
+-	unicode = calloc(wchars + 1, sizeof(unsigned short));
++	unicode = safe_calloc_(wchars + 1, sizeof(unsigned short));
+ 	if(unicode == NULL) 
+ 	{
+ 		fprintf(stderr, "Out of memory processing string to UTF8\n");
+@@ -197,7 +205,7 @@
+         return -1;
+     }
+ 
+-    *to = calloc(chars + 1, sizeof(unsigned char));
++    *to = safe_calloc_(chars + 1, sizeof(unsigned char));
+     if(*to == NULL) 
+     {
+         fprintf(stderr, "Out of memory processing string to local charset\n");
+@@ -285,7 +293,7 @@
+   if (ret != -1)
+     return ret;
+ 
+-  s = malloc(fromlen + 1);
++  s = safe_malloc_add_2op_(fromlen, /*+*/1);
+   if (!s)
+     return -1;
+   strcpy(s, from);
author	naddy <naddy@FreeBSD.org>	2007-11-13 22:28:29 +0800
committer	naddy <naddy@FreeBSD.org>	2007-11-13 22:28:29 +0800
commit	a153a7955e6006a293e0617ce0b12c767ee5b4f2 (patch)
tree	e1e2b3f2113364bf66732584b22b03ecf1de8eed /audio/xmms-flac
parent	d13ecdb78d72e664ebf289f1a723d4fe19a67564 (diff)
download	freebsd-ports-gnome-a153a7955e6006a293e0617ce0b12c767ee5b4f2.tar.gz freebsd-ports-gnome-a153a7955e6006a293e0617ce0b12c767ee5b4f2.tar.zst freebsd-ports-gnome-a153a7955e6006a293e0617ce0b12c767ee5b4f2.zip