[pkgsrc/trunk]: pkgsrc/multimedia/vlc Fix vlc wav handling heap overflow. A s...

[tonnerre <tonnerre%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/0cdc6618216d
branches:  trunk
changeset: 544030:0cdc6618216d
user:      tonnerre <tonnerre%pkgsrc.org@localhost>
date:      Thu Jul 03 21:50:02 2008 +0000

description:
Fix vlc wav handling heap overflow. A specially crafted .WAV file could
be used to achieve that with an overly large fmt chunk. (CVE-2008-2430)

diffstat:

 multimedia/vlc/Makefile         |   4 +-
 multimedia/vlc/distinfo         |   3 +-
 multimedia/vlc/patches/patch-ae |  43 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 47 insertions(+), 3 deletions(-)

diffs (76 lines):

diff -r 44dcf16dbe8f -r 0cdc6618216d multimedia/vlc/Makefile
--- a/multimedia/vlc/Makefile   Thu Jul 03 21:33:41 2008 +0000
+++ b/multimedia/vlc/Makefile   Thu Jul 03 21:50:02 2008 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.56 2008/06/20 01:09:29 joerg Exp $
+# $NetBSD: Makefile,v 1.57 2008/07/03 21:50:02 tonnerre Exp $
 #
 
 DISTNAME=              vlc-${VLC_VER}
 VLC_VER=               0.8.6f
-PKGREVISION=           1
+PKGREVISION=           2
 CATEGORIES=            multimedia
 MASTER_SITES=          http://download.videolan.org/pub/videolan/vlc/${VLC_VER}/
 EXTRACT_SUFX=          .tar.bz2
diff -r 44dcf16dbe8f -r 0cdc6618216d multimedia/vlc/distinfo
--- a/multimedia/vlc/distinfo   Thu Jul 03 21:33:41 2008 +0000
+++ b/multimedia/vlc/distinfo   Thu Jul 03 21:50:02 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.16 2008/04/20 15:31:02 tonnerre Exp $
+$NetBSD: distinfo,v 1.17 2008/07/03 21:50:02 tonnerre Exp $
 
 SHA1 (vlc-0.8.6f.tar.bz2) = 9684bb7504636d3e3143734698c2bbac250f4a03
 RMD160 (vlc-0.8.6f.tar.bz2) = c52d0cb7e8ba36f9d0959b9d6e1e8b1b36b71b04
@@ -7,3 +7,4 @@
 SHA1 (patch-ab) = c311b82c00f1eea164189a9759c9ca576faec671
 SHA1 (patch-ac) = 69f90b13aa4c398a00c12279c8bd8af922e9e8aa
 SHA1 (patch-ad) = 29660533b468e6871fa8104e081f9321cfb30aa5
+SHA1 (patch-ae) = 21b6292e77469375edbfb7b828e298427e1ed118
diff -r 44dcf16dbe8f -r 0cdc6618216d multimedia/vlc/patches/patch-ae
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/multimedia/vlc/patches/patch-ae   Thu Jul 03 21:50:02 2008 +0000
@@ -0,0 +1,43 @@
+$NetBSD: patch-ae,v 1.5 2008/07/03 21:50:02 tonnerre Exp $
+
+--- modules/demux/wav.c.orig   2008-03-23 23:41:49.000000000 +0100
++++ modules/demux/wav.c
+@@ -103,7 +103,8 @@ static int Open( vlc_object_t * p_this )
+     demux_sys_t *p_sys;
+ 
+     uint8_t     *p_peek;
+-    unsigned int i_size, i_extended;
++    uint32_t   i_size;
++    unsigned int i_extended;
+     char        *psz_name;
+ 
+     WAVEFORMATEXTENSIBLE *p_wf_ext = NULL;
+@@ -136,7 +137,8 @@ static int Open( vlc_object_t * p_this )
+         msg_Err( p_demux, "cannot find 'fmt ' chunk" );
+         goto error;
+     }
+-    if( i_size < sizeof( WAVEFORMATEX ) - 2 )   /* XXX -2 isn't a typo */
++    i_size += 2;
++    if( i_size < sizeof( WAVEFORMATEX ) )
+     {
+         msg_Err( p_demux, "invalid 'fmt ' chunk" );
+         goto error;
+@@ -144,14 +146,15 @@ static int Open( vlc_object_t * p_this )
+     stream_Read( p_demux->s, NULL, 8 );   /* Cannot fail */
+ 
+     /* load waveformatex */
+-    p_wf_ext = malloc( __EVEN( i_size ) + 2 );
++    p_wf_ext = malloc( i_size );
+     if( p_wf_ext == NULL )
+          goto error;
+ 
+     p_wf = (WAVEFORMATEX *)p_wf_ext;
+     p_wf->cbSize = 0;
+-    if( stream_Read( p_demux->s,
+-                     p_wf, __EVEN( i_size ) ) < (int)__EVEN( i_size ) )
++    i_size -= 2;
++    if( stream_Read( p_demux->s, p_wf, i_size ) != (int)i_size
++     || ( ( i_size & 1 ) && stream_Read( p_demux->s, NULL, 1 ) != 1 ) )
+     {
+         msg_Err( p_demux, "cannot load 'fmt ' chunk" );
+         goto error;