Tue Oct 1 14:50:38 2013 UTC ()
add patch from upstream to fix buffer overflow in the mp4a packetizer
(CVE-2013-4388)
bump PKGREV


(drochner)
diff -r1.39 -r1.40 pkgsrc/multimedia/vlc2/Makefile
diff -r1.20 -r1.21 pkgsrc/multimedia/vlc2/distinfo
diff -r0 -r1.1 pkgsrc/multimedia/vlc2/patches/patch-CVE-2013-4388
cvs diff -r1.39 -r1.40 pkgsrc/multimedia/vlc2/Attic/Makefile (expand / switch to unified diff)

--- pkgsrc/multimedia/vlc2/Attic/Makefile 2013/09/02 19:51:19 1.39
+++ pkgsrc/multimedia/vlc2/Attic/Makefile 2013/10/01 14:50:38 1.40
@@ -1,17 +1,17 @@ @@ -1,17 +1,17 @@
1# $NetBSD: Makefile,v 1.39 2013/09/02 19:51:19 adam Exp $ 1# $NetBSD: Makefile,v 1.40 2013/10/01 14:50:38 drochner Exp $
2 2
3DISTNAME= vlc-${VLC_VERSION} 3DISTNAME= vlc-${VLC_VERSION}
4PKGREVISION= 2 4PKGREVISION= 3
5CATEGORIES= multimedia 5CATEGORIES= multimedia
6MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=vlc/} \ 6MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=vlc/} \
7 http://download.videolan.org/pub/videolan/vlc/${VLC_VERSION}/ 7 http://download.videolan.org/pub/videolan/vlc/${VLC_VERSION}/
8EXTRACT_SUFX= .tar.xz 8EXTRACT_SUFX= .tar.xz
9 9
10VLC_VERSION= 2.0.8 10VLC_VERSION= 2.0.8
11 11
12MAINTAINER= pkgsrc-users@NetBSD.org 12MAINTAINER= pkgsrc-users@NetBSD.org
13HOMEPAGE= http://www.videolan.org/ 13HOMEPAGE= http://www.videolan.org/
14COMMENT= VLC media player and streaming server 14COMMENT= VLC media player and streaming server
15LICENSE= gnu-gpl-v2 15LICENSE= gnu-gpl-v2
16 16
17CONFLICTS= vlc07-[0-9]* vlc08-[0-9]* 17CONFLICTS= vlc07-[0-9]* vlc08-[0-9]*
cvs diff -r1.20 -r1.21 pkgsrc/multimedia/vlc2/Attic/distinfo (expand / switch to unified diff)

--- pkgsrc/multimedia/vlc2/Attic/distinfo 2013/08/23 12:45:50 1.20
+++ pkgsrc/multimedia/vlc2/Attic/distinfo 2013/10/01 14:50:38 1.21
@@ -1,18 +1,19 @@ @@ -1,18 +1,19 @@
1$NetBSD: distinfo,v 1.20 2013/08/23 12:45:50 drochner Exp $ 1$NetBSD: distinfo,v 1.21 2013/10/01 14:50:38 drochner Exp $
2 2
3SHA1 (vlc-2.0.8.tar.xz) = 8937ed30412bef49db77d2187a9e4734866f8ab7 3SHA1 (vlc-2.0.8.tar.xz) = 8937ed30412bef49db77d2187a9e4734866f8ab7
4RMD160 (vlc-2.0.8.tar.xz) = cd2483e4447b8bc4a91dbcf95ff1213244dcf40f 4RMD160 (vlc-2.0.8.tar.xz) = cd2483e4447b8bc4a91dbcf95ff1213244dcf40f
5Size (vlc-2.0.8.tar.xz) = 18858236 bytes 5Size (vlc-2.0.8.tar.xz) = 18858236 bytes
 6SHA1 (patch-CVE-2013-4388) = 19496eb8c81fd06adbc9d736e1ceafe55fa7c14d
6SHA1 (patch-aa) = 46003ac47b0b0ab97f481cbd755d48f624b0fa87 7SHA1 (patch-aa) = 46003ac47b0b0ab97f481cbd755d48f624b0fa87
7SHA1 (patch-ab) = 7833e9d1e023f53dd1125af5049eb9d74b733905 8SHA1 (patch-ab) = 7833e9d1e023f53dd1125af5049eb9d74b733905
8SHA1 (patch-ac) = 9cdb4bdad7f8e6a09e35b5a1142350d47d77f270 9SHA1 (patch-ac) = 9cdb4bdad7f8e6a09e35b5a1142350d47d77f270
9SHA1 (patch-ad) = bfcca3f794bc5dac7366210b4548ab45d23040d8 10SHA1 (patch-ad) = bfcca3f794bc5dac7366210b4548ab45d23040d8
10SHA1 (patch-ae) = 91cf64607a33dab18cd2d92464ab9731008f6a68 11SHA1 (patch-ae) = 91cf64607a33dab18cd2d92464ab9731008f6a68
11SHA1 (patch-af) = 8c9de1d74252ae3232bf2ac6755057ccef650228 12SHA1 (patch-af) = 8c9de1d74252ae3232bf2ac6755057ccef650228
12SHA1 (patch-ag) = 9fd4a1d0a43b7032b2db6597ac21fd609631733c 13SHA1 (patch-ag) = 9fd4a1d0a43b7032b2db6597ac21fd609631733c
13SHA1 (patch-ah) = 7eb1bb9ff4ab55317ca4c2ab3669208dce70a9e3 14SHA1 (patch-ah) = 7eb1bb9ff4ab55317ca4c2ab3669208dce70a9e3
14SHA1 (patch-ai) = 83d3aa9aa048aa81671640334b3b2c9d4f44a495 15SHA1 (patch-ai) = 83d3aa9aa048aa81671640334b3b2c9d4f44a495
15SHA1 (patch-ar) = 153164870e9dc50ad32106d9f8ebd25b35ed3dd3 16SHA1 (patch-ar) = 153164870e9dc50ad32106d9f8ebd25b35ed3dd3
16SHA1 (patch-as) = b53b074b2791d7bf69d5f09c7c32d873608f3086 17SHA1 (patch-as) = b53b074b2791d7bf69d5f09c7c32d873608f3086
17SHA1 (patch-at) = bf48ded3571358d6b718af47b28804c3155d84ef 18SHA1 (patch-at) = bf48ded3571358d6b718af47b28804c3155d84ef
18SHA1 (patch-au) = 5ea53969efefe3d9a6e3121b5453b573c633124b 19SHA1 (patch-au) = 5ea53969efefe3d9a6e3121b5453b573c633124b
File Added: pkgsrc/multimedia/vlc2/patches/Attic/patch-CVE-2013-4388
$NetBSD: patch-CVE-2013-4388,v 1.1 2013/10/01 14:50:38 drochner Exp $

upstream commit 9794ec1cd268c04c8bca13a5fae15df6594dff3e

--- modules/packetizer/mpeg4audio.c.orig	2012-04-27 17:14:57.000000000 +0000
+++ modules/packetizer/mpeg4audio.c
@@ -892,8 +892,11 @@ static int LOASParse( decoder_t *p_dec, 
                         continue;
 
                     /* FIXME that's slow (and a bit ugly to write in place) */
-                    for( i = 0; i < pi_payload[i_program][i_layer]; i++ )
+                    for( i = 0; i < pi_payload[i_program][i_layer]; i++ ) {
+			if (i_accumulated >= i_buffer)
+			    return 0;
                         p_buffer[i_accumulated++] = bs_read( &s, 8 );
+		    }
                 }
             }
         }