add a patch from upstream to fix a buffer overflow in vorbis coverart

code (CVE-2009-0586), bump PKGREVISION
This commit is contained in:
drochner 2009-03-23 12:03:24 +00:00
parent 002231483d
commit 789ba336e9
3 changed files with 91 additions and 2 deletions

View file

@ -1,9 +1,11 @@
# $NetBSD: Makefile,v 1.10 2009/01/26 10:39:01 drochner Exp $
# $NetBSD: Makefile,v 1.11 2009/03/23 12:03:24 drochner Exp $
#
PKG_DESTDIR_SUPPORT= user-destdir
.include "Makefile.common"
PKGREVISION= 1
COMMENT+= base plugins
# some plugins were moved from bad to base

View file

@ -1,4 +1,4 @@
$NetBSD: distinfo,v 1.20 2009/01/26 10:39:01 drochner Exp $
$NetBSD: distinfo,v 1.21 2009/03/23 12:03:24 drochner Exp $
SHA1 (gst-plugins-base-0.10.22.tar.bz2) = 8e6a894858f5412234ce1591bbb773102c150cb7
RMD160 (gst-plugins-base-0.10.22.tar.bz2) = 013de77422d6e89b64cf55ff7299b0ff1e38ef8a
@ -6,3 +6,4 @@ Size (gst-plugins-base-0.10.22.tar.bz2) = 2118085 bytes
SHA1 (patch-aa) = be36e5a0f1de11900df7c510e7a9a03dd19d6e85
SHA1 (patch-ab) = 0a739fbee2c49d75e9164c2b083820fd9d27c34a
SHA1 (patch-ac) = 3a8a102f2c0740f481e115d68bc44d9e2bf66aae
SHA1 (patch-ad) = f10ef3184acacf800ca50839e95fbd358f892cc9

View file

@ -0,0 +1,86 @@
$NetBSD: patch-ad,v 1.1 2009/03/23 12:03:24 drochner Exp $
--- gst-libs/gst/tag/gstvorbistag.c.orig 2008-10-11 01:22:50.000000000 +0200
+++ gst-libs/gst/tag/gstvorbistag.c
@@ -305,30 +305,32 @@ gst_vorbis_tag_add (GstTagList * list, c
}
static void
-gst_vorbis_tag_add_coverart (GstTagList * tags, const gchar * img_data_base64,
+gst_vorbis_tag_add_coverart (GstTagList * tags, gchar * img_data_base64,
gint base64_len)
{
GstBuffer *img;
- guchar *img_data;
gsize img_len;
+ guchar *out;
guint save = 0;
gint state = 0;
if (base64_len < 2)
goto not_enough_data;
- img_data = g_try_malloc0 (base64_len * 3 / 4);
-
- if (img_data == NULL)
- goto alloc_failed;
-
- img_len = g_base64_decode_step (img_data_base64, base64_len, img_data,
- &state, &save);
+ /* img_data_base64 points to a temporary copy of the base64 encoded data, so
+ * it's safe to do inpace decoding here
+ * TODO: glib 2.20 and later provides g_base64_decode_inplace, so change this
+ * to use glib's API instead once it's in wider use:
+ * http://bugzilla.gnome.org/show_bug.cgi?id=564728
+ * http://svn.gnome.org/viewvc/glib?view=revision&revision=7807 */
+ out = (guchar *) img_data_base64;
+ img_len = g_base64_decode_step (img_data_base64, base64_len,
+ out, &state, &save);
if (img_len == 0)
goto decode_failed;
- img = gst_tag_image_data_to_image_buffer (img_data, img_len,
+ img = gst_tag_image_data_to_image_buffer (out, img_len,
GST_TAG_IMAGE_TYPE_NONE);
if (img == NULL)
@@ -338,7 +340,6 @@ gst_vorbis_tag_add_coverart (GstTagList
GST_TAG_PREVIEW_IMAGE, img, NULL);
gst_buffer_unref (img);
- g_free (img_data);
return;
/* ERRORS */
@@ -347,21 +348,14 @@ not_enough_data:
GST_WARNING ("COVERART tag with too little base64-encoded data");
return;
}
-alloc_failed:
- {
- GST_WARNING ("Couldn't allocate enough memory to decode COVERART tag");
- return;
- }
decode_failed:
{
- GST_WARNING ("Couldn't decode bas64 image data from COVERART tag");
- g_free (img_data);
+ GST_WARNING ("Couldn't decode base64 image data from COVERART tag");
return;
}
convert_failed:
{
GST_WARNING ("Couldn't extract image or image type from COVERART tag");
- g_free (img_data);
return;
}
}
@@ -457,6 +451,7 @@ error:
return NULL;
#undef ADVANCE
}
+
typedef struct
{
guint count;