Add patch to fix ffmpeg remote system access vulnerability (CVE-2008-3162).

2008-09-01 00:00:10 +00:00 · 2008-09-01 00:00:10 +00:00 · c8e51c424c
commit c8e51c424c
parent ce981fbb1d
3 changed files with 56 additions and 3 deletions
--- a/multimedia/ffmpeg/Makefile
+++ b/multimedia/ffmpeg/Makefile
@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.35 2008/01/22 22:51:45 jdc Exp $
+# $NetBSD: Makefile,v 1.36 2008/09/01 00:00:10 tonnerre Exp $

 DISTNAME=	ffmpeg-0.4.9-pre1
 PKGNAME=	ffmpeg-0.4.9pre1
-PKGREVISION=	3
+PKGREVISION=	4
 CATEGORIES=	multimedia
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=ffmpeg/}

--- a/multimedia/ffmpeg/distinfo
+++ b/multimedia/ffmpeg/distinfo
@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.14 2007/12/22 00:05:25 joerg Exp $
+$NetBSD: distinfo,v 1.15 2008/09/01 00:00:10 tonnerre Exp $

 SHA1 (ffmpeg-0.4.9-pre1.tar.gz) = aad00445137520bec19e56bcb042e75a10c53bb3
 RMD160 (ffmpeg-0.4.9-pre1.tar.gz) = fd682846f97ada32951af7844e185c42783189a4
@ -14,5 +14,6 @@ SHA1 (patch-ah) = 3b600dd8d5bc0d4363139cea0ba8338691d8fa75
 SHA1 (patch-ai) = fe1bbecd05f2eef812650efa83223a3b6417ed6a
 SHA1 (patch-aj) = b998fdc2b3cc5f6efd2fb4f12fbb630d5832004b
 SHA1 (patch-ak) = 564d7d55372281909f70c63c6a72eb7d97afd99d
+SHA1 (patch-al) = d418bf4af796f1e3b829ceab19ddde94a0ca8ec4
 SHA1 (patch-an) = 3e2327f2a30571daf82edd67128c63845819224e
 SHA1 (patch-ao) = f1e8f504a951ab02d70aae083862414b32d8b55a
--- a/multimedia/ffmpeg/patches/patch-al
+++ b/multimedia/ffmpeg/patches/patch-al
@ -0,0 +1,52 @@
+$NetBSD: patch-al,v 1.1 2008/09/01 00:00:10 tonnerre Exp $
+
+--- libavformat/psxstr.c.orig	2004-06-19 05:59:34.000000000 +0200
+++ libavformat/psxstr.c
+@@ -273,12 +273,21 @@ static int str_read_packet(AVFormatConte
+                 int current_sector = LE_16(&sector[0x1C]);
+                 int sector_count   = LE_16(&sector[0x1E]);
+                 int frame_size = LE_32(&sector[0x24]);
+-                int bytes_to_copy;
+                
+		if(!(   frame_size>=0
+		     && current_sector < sector_count
+		     && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){
+		    av_log(s, AV_LOG_ERROR, "Invalid parameters %d %d %d\n", current_sector, sector_count, frame_size);
+		    return AVERROR_INVALIDDATA;
+		}
+ //        printf("%d %d %d\n",current_sector,sector_count,frame_size);
+                 /* if this is the first sector of the frame, allocate a pkt */
+                 pkt = &str->tmp_pkt;
+-                if (current_sector == 0) {
+-                    if (av_new_packet(pkt, frame_size))
+                if (pkt->size != sector_count*VIDEO_DATA_CHUNK_SIZE){
+		    if(pkt->data)
+			av_log(s, AV_LOG_ERROR, "missmatching sector_count\n");
+		    av_free_packet(pkt);
+                    if (av_new_packet(pkt, sector_count*VIDEO_DATA_CHUNK_SIZE))
+                         return AVERROR_IO;
+ 
+                     pkt->stream_index = 
+@@ -291,15 +300,15 @@ static int str_read_packet(AVFormatConte
+                        str->pts += (90000 / 15);
+                 }
+ 
+-                /* load all the constituent chunks in the video packet */
+-                bytes_to_copy = frame_size - current_sector*VIDEO_DATA_CHUNK_SIZE;
+-                if (bytes_to_copy>0) {
+-                    if (bytes_to_copy>VIDEO_DATA_CHUNK_SIZE) bytes_to_copy=VIDEO_DATA_CHUNK_SIZE;
+-                    memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE,
+-                        sector + VIDEO_DATA_HEADER_SIZE, bytes_to_copy);
+-                }
+                memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE,
+                        sector + VIDEO_DATA_HEADER_SIZE,
+			VIDEO_DATA_CHUNK_SIZE);
+
+                 if (current_sector == sector_count-1) {
+		    pkt->size= frame_size;
+                     *ret_pkt = *pkt;
+		    pkt->data= NULL;
+		    pkt->size= -1;
+                     return 0;
+                 }
+