- Add security patch

- Bump PORTREVISION

Approved by:	maintainer
Obtained from:	Mplayer CVS
Security:	VuXML c7526a14-c4dc-11da-9699-00123ffe8333

2 files changed, 70 insertions, 2 deletions

diff --git a/multimedia/mplayer/Makefile b/multimedia/mplayer/Makefile
index b0ac88fec333..d71e09a3259f 100644
--- a/multimedia/mplayer/Makefile
+++ b/multimedia/mplayer/Makefile
@@ -270,7 +270,7 @@
 
 PORTNAME=	mplayer
 PORTVERSION=	0.99.7
-PORTREVISION=	11
+PORTREVISION=	12
 CATEGORIES=	multimedia audio ipv6
 MASTER_SITES=	http://www1.mplayerhq.hu/MPlayer/releases/ \
 		http://www2.mplayerhq.hu/MPlayer/releases/ \
@@ -332,7 +332,6 @@ CONFIGURE_ARGS+=--with-x11libdir=${X11BASE}/lib \
 
 WANT_GNOME=	yes
 WANT_SDL=	yes
-USE_REINPLACE=	yes
 MAN1=		mplayer.1
 MANCOMPRESSED=	no
 
diff --git a/multimedia/mplayer/files/patch-CVE-2006-1502 b/multimedia/mplayer/files/patch-CVE-2006-1502
new file mode 100644
index 000000000000..4e9fe7e3cf32
--- /dev/null
+++ b/multimedia/mplayer/files/patch-CVE-2006-1502
@@ -0,0 +1,69 @@
+--- libmpdemux/aviheader.c.orig	Tue Feb 22 17:24:18 2005
++++ libmpdemux/aviheader.c	Fri Apr  7 11:56:53 2006
+@@ -205,8 +205,10 @@
+       break; }
+     case mmioFOURCC('i', 'n', 'd', 'x'): {
+       uint32_t i;
+-      unsigned msize = 0;
+       avisuperindex_chunk *s;
++      if(chunksize<=24){
++        break;
++      }
+       priv->suidx_size++;
+       priv->suidx = realloc(priv->suidx, priv->suidx_size * sizeof (avisuperindex_chunk));
+       s = &priv->suidx[priv->suidx_size-1];
+@@ -224,11 +226,18 @@
+ 	  
+       print_avisuperindex_chunk(s);
+ 
+-      msize = sizeof (uint32_t) * s->wLongsPerEntry * s->nEntriesInUse;
+-      s->aIndex = malloc(msize);
+-      memset (s->aIndex, 0, msize);
+-      s->stdidx = malloc (s->nEntriesInUse * sizeof (avistdindex_chunk));
+-      memset (s->stdidx, 0, s->nEntriesInUse * sizeof (avistdindex_chunk));
++      if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
++        mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
++        s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
++      }
++
++      // Check and fix this useless crap
++      if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) {
++        mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry);
++        s->wLongsPerEntry = sizeof(avisuperindex_entry)/4;
++      }
++      s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry));
++      s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk));
+ 
+       // now the real index of indices
+       for (i=0; i<s->nEntriesInUse; i++) {
+@@ -636,6 +645,8 @@
+     idx->dwChunkLength=len;
+     
+     c=stream_read_dword(demuxer->stream);
++
++    if(!len) idx->dwFlags&=~AVIIF_KEYFRAME;
+ 
+     // Fix keyframes for DivX files:
+     if(idxfix_divx)
+--- libmpdemux/asfheader.c.orig	Sat Dec 25 09:31:32 2004
++++ libmpdemux/asfheader.c	Fri Apr  7 11:55:29 2006
+@@ -189,7 +189,7 @@
+   while ((pos = find_asf_guid(hdr, asf_stream_header_guid, pos, hdr_len)) >= 0)
+   {
+     ASF_stream_header_t *streamh = (ASF_stream_header_t *)&hdr[pos];
+-    char *buffer;
++    uint8_t *buffer;
+     pos += sizeof(ASF_stream_header_t);
+     if (pos > hdr_len) goto len_err_out;
+     le2me_ASF_stream_header_t(streamh);
+@@ -222,7 +222,9 @@
+           asf_scrambling_h=buffer[0];
+           asf_scrambling_w=(buffer[2]<<8)|buffer[1];
+           asf_scrambling_b=(buffer[4]<<8)|buffer[3];
+-  	  asf_scrambling_w/=asf_scrambling_b;
++          if(asf_scrambling_b>0){
++  	    asf_scrambling_w/=asf_scrambling_b;
++          }
+ 	} else {
+ 	  asf_scrambling_b=asf_scrambling_h=asf_scrambling_w=1;
+ 	}