Date: Thu, 23 Feb 2006 21:56:46 +0100 (CET) From: "Thomas E. Zander" <riggs@rrr.de> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/93767: [Maintainer-update] multimedia/mplayer (buf overflow) Message-ID: <200602232056.k1NKukVC089163@marvin.riggiland.au> Resent-Message-ID: <200602232100.k1NL0FCM035251@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 93767 >Category: ports >Synopsis: [Maintainer-update] multimedia/mplayer (buf overflow) >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Thu Feb 23 21:00:14 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Thomas E. Zander >Release: FreeBSD 6.0-STABLE i386 >Organization: >Environment: System: FreeBSD marvin.riggiland.au 6.0-STABLE >Description: A potential mplayer vulnerability (heap overflow) has been detected in the ASF demuxer. Although at the moment no exploit is known, it is potentially dangerous, especially as streaming content might be misused for remote exploits. This pr adds a new file, files/patch-libmpdemux-demuxer.h which contains the official patch to address this issue. >How-To-Repeat: >Fix: Patch for multimedia/mplayer: diff -ruN /usr/ports/multimedia/mplayer/Makefile mplayer/Makefile --- /usr/ports/multimedia/mplayer/Makefile Tue Jan 10 07:23:45 2006 +++ mplayer/Makefile Thu Feb 23 09:35:36 2006 @@ -270,7 +270,7 @@ PORTNAME= mplayer PORTVERSION= 0.99.7 -PORTREVISION= 9 +PORTREVISION= 10 CATEGORIES= multimedia audio ipv6 MASTER_SITES= http://www1.mplayerhq.hu/MPlayer/releases/ \ http://www2.mplayerhq.hu/MPlayer/releases/ \ diff -ruN /usr/ports/multimedia/mplayer/files/patch-libmpdemux-demuxer.h mplayer/files/patch-libmpdemux-demuxer.h --- /usr/ports/multimedia/mplayer/files/patch-libmpdemux-demuxer.h Thu Jan 1 01:00:00 1970 +++ mplayer/files/patch-libmpdemux-demuxer.h Thu Feb 23 07:15:35 2006 @@ -0,0 +1,43 @@ +Index: libmpdemux/demuxer.h +=================================================================== +RCS file: /cvsroot/mplayer/main/libmpdemux/demuxer.h,v +retrieving revision 1.87 +retrieving revision 1.90 +diff -u -r1.87 -r1.90 +--- libmpdemux/demuxer.h 9 Feb 2006 19:39:51 -0000 1.87 ++++ libmpdemux/demuxer.h 12 Feb 2006 17:01:30 -0000 1.90 +@@ -190,17 +190,19 @@ + dp->flags=0; + dp->refcount=1; + dp->master=NULL; +- dp->buffer=len?(unsigned char*)malloc(len+8):NULL; +- if(len) memset(dp->buffer+len,0,8); ++ dp->buffer=NULL; ++ if (len > 0 && (dp->buffer = (unsigned char *)malloc(len + 8))) ++ memset(dp->buffer + len, 0, 8); ++ else ++ dp->len = 0; + return dp; + } + + inline static void resize_demux_packet(demux_packet_t* dp, int len) + { +- if(len) ++ if(len > 0) + { + dp->buffer=(unsigned char *)realloc(dp->buffer,len+8); +- memset(dp->buffer+len,0,8); + } + else + { +@@ -208,6 +210,10 @@ + dp->buffer=NULL; + } + dp->len=len; ++ if (dp->buffer) ++ memset(dp->buffer + len, 0, 8); ++ else ++ dp->len = 0; + } + + inline static demux_packet_t* clone_demux_packet(demux_packet_t* pack){ >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200602232056.k1NKukVC089163>