CVS commit: pkgsrc/audio/id3lib

["Martin Husemann" <martin%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   martin
Date:           Fri Oct 12 13:51:59 UTC 2018

Modified Files:
        pkgsrc/audio/id3lib: Makefile distinfo
Added Files:
        pkgsrc/audio/id3lib/patches: patch-src__mp3_parse.cpp

Log Message:
Fix a buffer overflow caused by miscalculation of the maximal
VBR header size. Bump revision.


To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 pkgsrc/audio/id3lib/Makefile
cvs rdiff -u -r1.21 -r1.22 pkgsrc/audio/id3lib/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/audio/id3lib/patches/patch-src__mp3_parse.cpp

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/audio/id3lib/Makefile
diff -u pkgsrc/audio/id3lib/Makefile:1.34 pkgsrc/audio/id3lib/Makefile:1.35
--- pkgsrc/audio/id3lib/Makefile:1.34   Fri Jan 26 10:32:36 2018
+++ pkgsrc/audio/id3lib/Makefile        Fri Oct 12 13:51:59 2018
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.34 2018/01/26 10:32:36 jperkin Exp $
+# $NetBSD: Makefile,v 1.35 2018/10/12 13:51:59 martin Exp $
 #
 
 DISTNAME=      id3lib-3.8.3
-PKGREVISION=   5
+PKGREVISION=   6
 CATEGORIES=    audio
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=id3lib/}
 

Index: pkgsrc/audio/id3lib/distinfo
diff -u pkgsrc/audio/id3lib/distinfo:1.21 pkgsrc/audio/id3lib/distinfo:1.22
--- pkgsrc/audio/id3lib/distinfo:1.21   Tue Nov  3 01:12:35 2015
+++ pkgsrc/audio/id3lib/distinfo        Fri Oct 12 13:51:59 2018
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.21 2015/11/03 01:12:35 agc Exp $
+$NetBSD: distinfo,v 1.22 2018/10/12 13:51:59 martin Exp $
 
 SHA1 (id3lib-3.8.3.tar.gz) = c92c880da41d1ec0b242745a901702ae87970838
 RMD160 (id3lib-3.8.3.tar.gz) = bfa2499ec649ed40815ad0a370c78eb1517952c4
@@ -17,3 +17,4 @@ SHA1 (patch-as) = 50ca42926c603361864bf2
 SHA1 (patch-at) = f5ab25d72d3d6e47c1710bbc17dd0cd0749a0b22
 SHA1 (patch-au) = 2d96d6cadaf8b1055337da6a5f85070ea6222583
 SHA1 (patch-av) = e54c0839ecfe4e3f70758e334666717b5a3b396f
+SHA1 (patch-src__mp3_parse.cpp) = 874614302be7cdcb9b95e8b32e17b488cdf21359

Added files:

Index: pkgsrc/audio/id3lib/patches/patch-src__mp3_parse.cpp
diff -u /dev/null pkgsrc/audio/id3lib/patches/patch-src__mp3_parse.cpp:1.1
--- /dev/null   Fri Oct 12 13:51:59 2018
+++ pkgsrc/audio/id3lib/patches/patch-src__mp3_parse.cpp        Fri Oct 12 13:51:59 2018
@@ -0,0 +1,17 @@
+$NetBSD: patch-src__mp3_parse.cpp,v 1.1 2018/10/12 13:51:59 martin Exp $
+
+Fix a miscalculation of the VBR maximal header size,
+upstream has already been notified (there is a user
+review about this issue)
+
+--- src/mp3_parse.cpp.orig     2003-03-02 01:23:00.000000000 +0100
++++ src/mp3_parse.cpp  2018-10-12 15:46:21.863323611 +0200
+@@ -465,7 +465,7 @@ bool Mp3Info::Parse(ID3_Reader& reader, 
+   // from http://www.xingtech.com/developer/mp3/
+ 
+   const size_t VBR_HEADER_MIN_SIZE = 8;     // "xing" + flags are fixed
+-  const size_t VBR_HEADER_MAX_SIZE = 116;   // frames, bytes, toc and scale are optional
++  const size_t VBR_HEADER_MAX_SIZE = 120;   // frames, bytes, toc and scale are optional
+ 
+   if (mp3size >= vbr_header_offest + VBR_HEADER_MIN_SIZE) 
+   {