[pkgsrc/trunk]: pkgsrc/multimedia/vlc2 add patch from upstream to fix buffer ...

[drochner <drochner%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/23be63791822
branches:  trunk
changeset: 624824:23be63791822
user:      drochner <drochner%pkgsrc.org@localhost>
date:      Tue Oct 01 14:50:38 2013 +0000

description:
add patch from upstream to fix buffer overflow in the mp4a packetizer
(CVE-2013-4388)
bump PKGREV

diffstat:

 multimedia/vlc2/Makefile                    |   4 ++--
 multimedia/vlc2/distinfo                    |   3 ++-
 multimedia/vlc2/patches/patch-CVE-2013-4388 |  19 +++++++++++++++++++
 3 files changed, 23 insertions(+), 3 deletions(-)

diffs (50 lines):

diff -r 2d671a1c08d2 -r 23be63791822 multimedia/vlc2/Makefile
--- a/multimedia/vlc2/Makefile  Tue Oct 01 14:48:45 2013 +0000
+++ b/multimedia/vlc2/Makefile  Tue Oct 01 14:50:38 2013 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.39 2013/09/02 19:51:19 adam Exp $
+# $NetBSD: Makefile,v 1.40 2013/10/01 14:50:38 drochner Exp $
 
 DISTNAME=              vlc-${VLC_VERSION}
-PKGREVISION=           2
+PKGREVISION=           3
 CATEGORIES=            multimedia
 MASTER_SITES=          ${MASTER_SITE_SOURCEFORGE:=vlc/} \
                        http://download.videolan.org/pub/videolan/vlc/${VLC_VERSION}/
diff -r 2d671a1c08d2 -r 23be63791822 multimedia/vlc2/distinfo
--- a/multimedia/vlc2/distinfo  Tue Oct 01 14:48:45 2013 +0000
+++ b/multimedia/vlc2/distinfo  Tue Oct 01 14:50:38 2013 +0000
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.20 2013/08/23 12:45:50 drochner Exp $
+$NetBSD: distinfo,v 1.21 2013/10/01 14:50:38 drochner Exp $
 
 SHA1 (vlc-2.0.8.tar.xz) = 8937ed30412bef49db77d2187a9e4734866f8ab7
 RMD160 (vlc-2.0.8.tar.xz) = cd2483e4447b8bc4a91dbcf95ff1213244dcf40f
 Size (vlc-2.0.8.tar.xz) = 18858236 bytes
+SHA1 (patch-CVE-2013-4388) = 19496eb8c81fd06adbc9d736e1ceafe55fa7c14d
 SHA1 (patch-aa) = 46003ac47b0b0ab97f481cbd755d48f624b0fa87
 SHA1 (patch-ab) = 7833e9d1e023f53dd1125af5049eb9d74b733905
 SHA1 (patch-ac) = 9cdb4bdad7f8e6a09e35b5a1142350d47d77f270
diff -r 2d671a1c08d2 -r 23be63791822 multimedia/vlc2/patches/patch-CVE-2013-4388
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/multimedia/vlc2/patches/patch-CVE-2013-4388       Tue Oct 01 14:50:38 2013 +0000
@@ -0,0 +1,19 @@
+$NetBSD: patch-CVE-2013-4388,v 1.1 2013/10/01 14:50:38 drochner Exp $
+
+upstream commit 9794ec1cd268c04c8bca13a5fae15df6594dff3e
+
+--- modules/packetizer/mpeg4audio.c.orig       2012-04-27 17:14:57.000000000 +0000
++++ modules/packetizer/mpeg4audio.c
+@@ -892,8 +892,11 @@ static int LOASParse( decoder_t *p_dec, 
+                         continue;
+ 
+                     /* FIXME that's slow (and a bit ugly to write in place) */
+-                    for( i = 0; i < pi_payload[i_program][i_layer]; i++ )
++                    for( i = 0; i < pi_payload[i_program][i_layer]; i++ ) {
++                      if (i_accumulated >= i_buffer)
++                          return 0;
+                         p_buffer[i_accumulated++] = bs_read( &s, 8 );
++                  }
+                 }
+             }
+         }