diff options
| author |   Steve Dibb <beandog@gentoo.org> | 2008-12-17 15:15:10 +0000 |
|---|---|---|
| committer | Steve Dibb <beandog@gentoo.org> | 2008-12-17 15:15:10 +0000 |
| commit | 69f205f124a4d0decd5a0977a1e566dcf7cc6f84 (patch) | |
| tree | 0ae22d950c8516952df5ab41f3245e902f7675ad /media-video/mplayer/files | |
| parent | Marked stable on amd64 for bug #250728 (diff) | |
| download | gentoo-2-69f205f124a4d0decd5a0977a1e566dcf7cc6f84.tar.gz gentoo-2-69f205f124a4d0decd5a0977a1e566dcf7cc6f84.tar.bz2 gentoo-2-69f205f124a4d0decd5a0977a1e566dcf7cc6f84.zip | |
Add patch for security bug 251017; Change realplayer dep to realcodecs, bug 249572
(Portage version: 2.2_rc17/cvs/Linux 2.6.27-gentoo x86_64)
Diffstat (limited to 'media-video/mplayer/files')
| -rw-r--r-- | media-video/mplayer/files/mplayer-1.0_rc2_p28058-demux_vqf.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/media-video/mplayer/files/mplayer-1.0_rc2_p28058-demux_vqf.patch b/media-video/mplayer/files/mplayer-1.0_rc2_p28058-demux_vqf.patch new file mode 100644 index 000000000000..ff2483996be1 --- /dev/null +++ b/media-video/mplayer/files/mplayer-1.0_rc2_p28058-demux_vqf.patch @@ -0,0 +1,55 @@ +--- mplayer-1.0_rc2_p28058.orig/libmpdemux/demux_vqf.c 2007/10/07 16:27:03 24723 ++++ mplayer-1.0_rc2_p28058/libmpdemux/demux_vqf.c 2008/12/14 15:18:41 28150 +@@ -50,11 +50,14 @@ + unsigned chunk_size; + hi->size=chunk_size=stream_read_dword(s); /* include itself */ + stream_read(s,chunk_id,4); ++ if (chunk_size < 8) return NULL; ++ chunk_size -= 8; + if(*((uint32_t *)&chunk_id[0])==mmioFOURCC('C','O','M','M')) + { +- char buf[chunk_size-8]; ++ char buf[BUFSIZ]; + unsigned i,subchunk_size; +- if(stream_read(s,buf,chunk_size-8)!=chunk_size-8) return NULL; ++ if (chunk_size > sizeof(buf) || chunk_size < 20) return NULL; ++ if(stream_read(s,buf,chunk_size)!=chunk_size) return NULL; + i=0; + subchunk_size=be2me_32(*((uint32_t *)&buf[0])); + hi->channelMode=be2me_32(*((uint32_t *)&buf[4])); +@@ -83,13 +86,15 @@ + sh_audio->samplesize = 4; + w->wBitsPerSample = 8*sh_audio->samplesize; + w->cbSize = 0; ++ if (subchunk_size > chunk_size - 4) continue; + i+=subchunk_size+4; +- while(i<chunk_size-8) ++ while(i + 8 < chunk_size) + { + unsigned slen,sid; +- char sdata[chunk_size]; ++ char sdata[BUFSIZ]; + sid=*((uint32_t *)&buf[i]); i+=4; + slen=be2me_32(*((uint32_t *)&buf[i])); i+=4; ++ if (slen > sizeof(sdata) - 1 || slen > chunk_size - i) break; + if(sid==mmioFOURCC('D','S','I','Z')) + { + hi->Dsiz=be2me_32(*((uint32_t *)&buf[i])); +@@ -141,7 +146,7 @@ + if(*((uint32_t *)&chunk_id[0])==mmioFOURCC('D','A','T','A')) + { + demuxer->movi_start=stream_tell(s); +- demuxer->movi_end=demuxer->movi_start+chunk_size-8; ++ demuxer->movi_end=demuxer->movi_start+chunk_size; + mp_msg(MSGT_DEMUX, MSGL_V, "Found data at %"PRIX64" size %"PRIu64"\n",demuxer->movi_start,demuxer->movi_end); + /* Done! play it */ + break; +@@ -149,7 +154,7 @@ + else + { + mp_msg(MSGT_DEMUX, MSGL_V, "Unhandled chunk '%c%c%c%c' %u bytes\n",((char *)&chunk_id)[0],((char *)&chunk_id)[1],((char *)&chunk_id)[2],((char *)&chunk_id)[3],chunk_size); +- stream_skip(s,chunk_size-8); /*unknown chunk type */ ++ stream_skip(s,chunk_size); /*unknown chunk type */ + } + } + |