[pkgsrc/trunk]: pkgsrc/multimedia apply a security fix from upstream CVS:

[drochner <drochner%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/9263be3037d8
branches:  trunk
changeset: 533276:9263be3037d8
user:      drochner <drochner%pkgsrc.org@localhost>
date:      Thu Sep 13 19:16:01 2007 +0000

description:
apply a security fix from upstream CVS:
Check wLongsPerEntry before using it.
This fixes a potential crash for some values of it.
As a side effect it works around broken callocs with an integer
overflow vulnerability, but using MPlayer on such systems should
never be assumed to be safe!

This should fix SA26806 (http://secunia.com/advisories/26806/).

bump PKGREVISIONs

diffstat:

 multimedia/gmplayer/Makefile              |   4 ++--
 multimedia/gmplayer/distinfo              |   3 ++-
 multimedia/mencoder/Makefile              |   4 ++--
 multimedia/mplayer-share/distinfo         |   3 ++-
 multimedia/mplayer-share/patches/patch-al |  26 ++++++++++++++++++++++++++
 multimedia/mplayer/Makefile               |   4 ++--
 6 files changed, 36 insertions(+), 8 deletions(-)

diffs (109 lines):

diff -r ee4e8669e6b1 -r 9263be3037d8 multimedia/gmplayer/Makefile
--- a/multimedia/gmplayer/Makefile      Thu Sep 13 12:12:14 2007 +0000
+++ b/multimedia/gmplayer/Makefile      Thu Sep 13 19:16:01 2007 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.62 2007/09/07 10:06:22 tron Exp $
+# $NetBSD: Makefile,v 1.63 2007/09/13 19:16:02 drochner Exp $
 
 #
 # NOTE: if you are updating both mplayer and gmplayer, you must ensure
@@ -9,7 +9,7 @@
 #
 
 PKGNAME=       gmplayer-${MPLAYER_PKG_VERSION}
-PKGREVISION=   3
+PKGREVISION=   4
 
 BROKEN_IN=             pkgsrc-2006Q4
 
diff -r ee4e8669e6b1 -r 9263be3037d8 multimedia/gmplayer/distinfo
--- a/multimedia/gmplayer/distinfo      Thu Sep 13 12:12:14 2007 +0000
+++ b/multimedia/gmplayer/distinfo      Thu Sep 13 19:16:01 2007 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.48 2007/07/05 05:18:50 wiz Exp $
+$NetBSD: distinfo,v 1.49 2007/09/13 19:16:02 drochner Exp $
 
 SHA1 (gmplayer-1.0rc9-20060123/AlienMind-1.2.tar.bz2) = 34370da1e003e4accceae194a63483aa6eebc4dc
 RMD160 (gmplayer-1.0rc9-20060123/AlienMind-1.2.tar.bz2) = f3fda7d44a59f98097162f76d0a0d58840974998
@@ -73,6 +73,7 @@
 SHA1 (patch-ai) = bcf45db81587d99fc69ae5fcf89ff4a4b8f6f53c
 SHA1 (patch-aj) = 40ba1625f85f0264628013ad0209aa095e8e5d3f
 SHA1 (patch-ak) = f095e2824fd54ec7a8ea7a8a59641743c1b65191
+SHA1 (patch-al) = cd378430de97b2492d524764e2f4f010bab4474c
 SHA1 (patch-ba) = bdb20f4ead6f55c0847534b5b1f06ea865e438e6
 SHA1 (patch-bb) = 554ca2074716ada4f817f55be61e808e1dc5c93e
 SHA1 (patch-bc) = c073f6e5d2d71030346fda82ff3a1f474ad49c0f
diff -r ee4e8669e6b1 -r 9263be3037d8 multimedia/mencoder/Makefile
--- a/multimedia/mencoder/Makefile      Thu Sep 13 12:12:14 2007 +0000
+++ b/multimedia/mencoder/Makefile      Thu Sep 13 19:16:01 2007 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.33 2007/03/09 15:14:16 drochner Exp $
+# $NetBSD: Makefile,v 1.34 2007/09/13 19:16:02 drochner Exp $
 
 PKGNAME=       mencoder-${MPLAYER_PKG_VERSION}
 
-PKGREVISION=   4
+PKGREVISION=   5
 
 COMMENT=       Simple movie encoder for MPlayer-playable movies
 
diff -r ee4e8669e6b1 -r 9263be3037d8 multimedia/mplayer-share/distinfo
--- a/multimedia/mplayer-share/distinfo Thu Sep 13 12:12:14 2007 +0000
+++ b/multimedia/mplayer-share/distinfo Thu Sep 13 19:16:01 2007 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.41 2007/07/05 05:18:50 wiz Exp $
+$NetBSD: distinfo,v 1.42 2007/09/13 19:16:01 drochner Exp $
 
 SHA1 (mplayer-1.0rc9/MPlayer-1.0rc1.tar.bz2) = a450c0b0749c343a8496ba7810363c9d46dfa73c
 RMD160 (mplayer-1.0rc9/MPlayer-1.0rc1.tar.bz2) = 8cea02e832aec5d9e090829d61d0f131dcc177a2
@@ -13,6 +13,7 @@
 SHA1 (patch-ai) = bcf45db81587d99fc69ae5fcf89ff4a4b8f6f53c
 SHA1 (patch-aj) = 40ba1625f85f0264628013ad0209aa095e8e5d3f
 SHA1 (patch-ak) = f095e2824fd54ec7a8ea7a8a59641743c1b65191
+SHA1 (patch-al) = cd378430de97b2492d524764e2f4f010bab4474c
 SHA1 (patch-ba) = bdb20f4ead6f55c0847534b5b1f06ea865e438e6
 SHA1 (patch-bb) = 554ca2074716ada4f817f55be61e808e1dc5c93e
 SHA1 (patch-bc) = c073f6e5d2d71030346fda82ff3a1f474ad49c0f
diff -r ee4e8669e6b1 -r 9263be3037d8 multimedia/mplayer-share/patches/patch-al
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/multimedia/mplayer-share/patches/patch-al Thu Sep 13 19:16:01 2007 +0000
@@ -0,0 +1,26 @@
+$NetBSD: patch-al,v 1.1 2007/09/13 19:16:01 drochner Exp $
+
+--- libmpdemux/aviheader.c.orig        2007-09-13 20:25:34.000000000 +0200
++++ libmpdemux/aviheader.c
+@@ -227,16 +227,16 @@ while(1){
+         
+       print_avisuperindex_chunk(s,MSGL_V);
+       
+-      if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
+-        mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
+-        s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
+-      }
+-
+       // Check and fix this useless crap
+       if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) {
+           mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry);
+           s->wLongsPerEntry = sizeof(avisuperindex_entry)/4;
+       }
++      if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
++      mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
++      s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
++      }
++
+       s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry));
+       s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk));
+ 
diff -r ee4e8669e6b1 -r 9263be3037d8 multimedia/mplayer/Makefile
--- a/multimedia/mplayer/Makefile       Thu Sep 13 12:12:14 2007 +0000
+++ b/multimedia/mplayer/Makefile       Thu Sep 13 19:16:01 2007 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.45 2007/09/07 10:06:22 tron Exp $
+# $NetBSD: Makefile,v 1.46 2007/09/13 19:16:01 drochner Exp $
 
 PKGNAME=       mplayer-${MPLAYER_PKG_VERSION}
-PKGREVISION=   8
+PKGREVISION=   9
 
 COMMENT=       Software-only MPEG-1/2/4 video decoder