Date: Fri, 7 Nov 2008 05:18:12 GMT From: "Joseph S. Atkinson" <jsa@wickedmachine.net> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/128660: multimedia/vlc buffer overflow fix Message-ID: <200811070518.mA75ICUr023548@www.freebsd.org> Resent-Message-ID: <200811070520.mA75K3Af080829@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 128660 >Category: ports >Synopsis: multimedia/vlc buffer overflow fix >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Fri Nov 07 05:20:03 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Joseph S. Atkinson >Release: >Organization: >Environment: >Description: Fixes an overflow in modules/access/vcd/cdrom.c Offical announcement: http://www.videolan.org/security/sa0810.html In depth: http://www.trapkit.de/advisories/TKADV2008-012.txt Patch obtained from VideoLAN's git and grafted onto 0.8.6i as painlessly as possible. The issue with RealText subtitles mentioned in VideoLAN-SA-0810 does not appear to apply to the 0.8.x branch. For the curious/doubtful/paranoid, more info on that can be found at: http://www.trapkit.de/advisories/TKADV2008-011.txt >How-To-Repeat: >Fix: This patch generates the new file "vlc/files/patch-modules__access__vcd__cdrom.c" and bumps PORTREVISION. Patch attached with submission follows: diff -urN vlc.orig/Makefile vlc/Makefile --- vlc.orig/Makefile 2008-10-26 06:37:43.000000000 -0400 +++ vlc/Makefile 2008-11-07 00:00:39.000000000 -0500 @@ -10,7 +10,7 @@ PORTNAME= vlc DISTVERSION= 0.8.6i -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 2 CATEGORIES= multimedia audio ipv6 net www MASTER_SITES= http://download.videolan.org/pub/videolan/vlc/${DISTVERSION}/ \ diff -urN vlc.orig/files/patch-modules__access__vcd__cdrom.c vlc/files/patch-modules__access__vcd__cdrom.c --- vlc.orig/files/patch-modules__access__vcd__cdrom.c 1969-12-31 19:00:00.000000000 -0500 +++ vlc/files/patch-modules__access__vcd__cdrom.c 2008-11-07 00:00:39.000000000 -0500 @@ -0,0 +1,111 @@ +--- modules/access/vcd/cdrom.c ++++ modules/access/vcd/cdrom.c +@@ -820,6 +820,7 @@ static int OpenVCDImage( vlc_object_t * p_this, const char *psz_dev, + char *psz_vcdfile = NULL; + char *psz_cuefile = NULL; + FILE *cuefile = NULL; ++ int *p_sectors = NULL; + char line[1024]; + bool b_found = false; + +@@ -858,7 +859,6 @@ static int OpenVCDImage( vlc_object_t * p_this, const char *psz_dev, + cuefile = utf8_fopen( psz_cuefile, "rt" ); + if( cuefile == NULL ) + { +- i_ret = -1; + msg_Dbg( p_this, "could not find .cue file" ); + goto error; + } +@@ -904,58 +904,56 @@ static int OpenVCDImage( vlc_object_t * p_this, const char *psz_dev, + } + + if( p_vcddev->i_vcdimage_handle == -1) +- { +- i_ret = -1; + goto error; +- } +- else i_ret = 0; + + /* Try to parse the i_tracks and p_sectors info so we can just forget + * about the cuefile */ +- if( i_ret == 0 ) ++ size_t i_tracks = 0; ++ ++ while( fgets( line, 1024, cuefile ) ) + { +- int p_sectors[100]; +- int i_tracks = 0; +- int i_num; +- char psz_dummy[10]; ++ /* look for a TRACK line */ ++ char psz_dummy[9]; ++ if( !sscanf( line, "%9s", psz_dummy ) || strcmp(psz_dummy, "TRACK") ) ++ continue; + ++ /* look for an INDEX line */ + while( fgets( line, 1024, cuefile ) ) + { +- /* look for a TRACK line */ +- if( !sscanf( line, "%9s", psz_dummy ) || +- strcmp(psz_dummy, "TRACK") ) +- continue; +- +- /* look for an INDEX line */ +- while( fgets( line, 1024, cuefile ) ) +- { +- int i_min, i_sec, i_frame; ++ int i_num, i_min, i_sec, i_frame; + +- if( (sscanf( line, "%9s %2u %2u:%2u:%2u", psz_dummy, &i_num, +- &i_min, &i_sec, &i_frame ) != 5) || (i_num != 1) ) +- continue; ++ if( (sscanf( line, "%*9s %2u %2u:%2u:%2u", &i_num, ++ &i_min, &i_sec, &i_frame ) != 4) || (i_num != 1) ) ++ continue; + +- i_tracks++; +- p_sectors[i_tracks - 1] = MSF_TO_LBA(i_min, i_sec, i_frame); +- msg_Dbg( p_this, "vcd track %i begins at sector:%i", +- i_tracks - 1, p_sectors[i_tracks - 1] ); +- break; +- } ++ int *buf = realloc (p_sectors, (i_tracks + 1) * sizeof (int)); ++ if (buf == NULL) ++ goto error; ++ p_sectors = buf; ++ p_sectors[i_tracks] = MSF_TO_LBA(i_min, i_sec, i_frame); ++ msg_Dbg( p_this, "vcd track %i begins at sector:%i", ++ i_tracks, p_sectors[i_tracks] ); ++ i_tracks++; ++ break; + } +- +- /* fill in the last entry */ +- p_sectors[i_tracks] = lseek(p_vcddev->i_vcdimage_handle, 0, SEEK_END) +- / VCD_SECTOR_SIZE; +- msg_Dbg( p_this, "vcd track %i, begins at sector:%i", +- i_tracks, p_sectors[i_tracks] ); +- p_vcddev->i_tracks = i_tracks; +- p_vcddev->p_sectors = malloc( (i_tracks + 1) * sizeof(int) ); +- memcpy( p_vcddev->p_sectors, p_sectors, (i_tracks + 1) * sizeof(int) ); +- + } + ++ /* fill in the last entry */ ++ int *buf = realloc (p_sectors, (i_tracks + 1) * sizeof (int)); ++ if (buf == NULL) ++ goto error; ++ p_sectors = buf; ++ p_sectors[i_tracks] = lseek(p_vcddev->i_vcdimage_handle, 0, SEEK_END) ++ / VCD_SECTOR_SIZE; ++ msg_Dbg( p_this, "vcd track %i, begins at sector:%i", ++ i_tracks, p_sectors[i_tracks] ); ++ p_vcddev->i_tracks = ++i_tracks; ++ p_vcddev->p_sectors = p_sectors; ++ i_ret = 0; ++ + error: + if( cuefile ) fclose( cuefile ); ++ if( p_sectors ) free( p_sectors ); + if( psz_cuefile ) free( psz_cuefile ); + if( psz_vcdfile ) free( psz_vcdfile );free( p_sectors ); >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200811070518.mA75ICUr023548>