Fix a stack overflow vulnerability while parsing malformed cue files.

The vulnerability may be exploited by a (remote) attacker to execute arbitrary code in the context of VLC media player. PR: 128660 Submitted by: "Joseph S. Atkinson" <jsa@wickedmachine.net> (maintainer) Security: http://www.vuxml.org/freebsd/4b09378e-addb-11dd-a578-0030843d3802.html
author: Martin Wilke <miwi@FreeBSD.org> 2008-11-09 16:04:23 +0000
committer: Martin Wilke <miwi@FreeBSD.org> 2008-11-09 16:04:23 +0000
commit: fc460102f4d1ebf49d8c2943ca6b1843dee5a7e7 (patch)
tree: 0d6ffbe88c46934e82d873467141b5c9ff66f6f3 /multimedia
parent: 46783045ee8652c8e30216c4a3e6b005c44b8492 (diff)
download: ports-fc460102f4d1ebf49d8c2943ca6b1843dee5a7e7.tar.gz
ports-fc460102f4d1ebf49d8c2943ca6b1843dee5a7e7.zip
2 files changed, 112 insertions, 1 deletions
diff --git a/multimedia/vlc/Makefile b/multimedia/vlc/Makefile
index 543d0465bf01..a9a811d8344e 100644
--- a/multimedia/vlc/Makefile
+++ b/multimedia/vlc/Makefile
@@ -10,7 +10,7 @@
 
 PORTNAME=	vlc
 DISTVERSION=	0.8.6i
-PORTREVISION=	1
+PORTREVISION=	2
 PORTEPOCH=	2
 CATEGORIES=	multimedia audio ipv6 net www
 MASTER_SITES=	http://download.videolan.org/pub/videolan/vlc/${DISTVERSION}/ \
diff --git a/multimedia/vlc/files/patch-modules__access__vcd__cdrom.c b/multimedia/vlc/files/patch-modules__access__vcd__cdrom.c
new file mode 100644
index 000000000000..837a231b0f21
--- /dev/null
+++ b/multimedia/vlc/files/patch-modules__access__vcd__cdrom.c
@@ -0,0 +1,111 @@
+--- modules/access/vcd/cdrom.c
++++ modules/access/vcd/cdrom.c
+@@ -820,6 +820,7 @@ static int OpenVCDImage( vlc_object_t * p_this, const char *psz_dev,
+     char *psz_vcdfile = NULL;
+     char *psz_cuefile = NULL;
+     FILE *cuefile     = NULL;
++    int *p_sectors    = NULL;
+     char line[1024];
+     bool b_found      = false;
+ 
+@@ -858,7 +859,6 @@ static int OpenVCDImage( vlc_object_t * p_this, const char *psz_dev,
+     cuefile = utf8_fopen( psz_cuefile, "rt" );
+     if( cuefile == NULL )
+     {
+-        i_ret = -1;
+         msg_Dbg( p_this, "could not find .cue file" );
+         goto error;
+     }
+@@ -904,58 +904,56 @@ static int OpenVCDImage( vlc_object_t * p_this, const char *psz_dev,
+     }
+ 
+     if( p_vcddev->i_vcdimage_handle == -1)
+-    {
+-        i_ret = -1;
+         goto error;
+-    }
+-    else i_ret = 0;
+ 
+     /* Try to parse the i_tracks and p_sectors info so we can just forget
+      * about the cuefile */
+-    if( i_ret == 0 )
++    size_t i_tracks = 0;
++
++    while( fgets( line, 1024, cuefile ) )
+     {
+-        int p_sectors[100];
+-        int i_tracks = 0;
+-        int i_num;
+-        char psz_dummy[10];
++        /* look for a TRACK line */
++        char psz_dummy[9];
++        if( !sscanf( line, "%9s", psz_dummy ) || strcmp(psz_dummy, "TRACK") )
++            continue;
+ 
++        /* look for an INDEX line */
+         while( fgets( line, 1024, cuefile ) )
+         {
+-            /* look for a TRACK line */
+-            if( !sscanf( line, "%9s", psz_dummy ) ||
+-                strcmp(psz_dummy, "TRACK") )
+-                continue;
+-
+-            /* look for an INDEX line */
+-            while( fgets( line, 1024, cuefile ) )
+-            {
+-                int i_min, i_sec, i_frame;
++            int i_num, i_min, i_sec, i_frame;
+ 
+-                if( (sscanf( line, "%9s %2u %2u:%2u:%2u", psz_dummy, &i_num,
+-                            &i_min, &i_sec, &i_frame ) != 5) || (i_num != 1) )
+-                    continue;
++            if( (sscanf( line, "%*9s %2u %2u:%2u:%2u", &i_num,
++                         &i_min, &i_sec, &i_frame ) != 4) || (i_num != 1) )
++                continue;
+ 
+-                i_tracks++;
+-                p_sectors[i_tracks - 1] = MSF_TO_LBA(i_min, i_sec, i_frame);
+-                msg_Dbg( p_this, "vcd track %i begins at sector:%i",
+-                         i_tracks - 1, p_sectors[i_tracks - 1] );
+-                break;
+-            }
++            int *buf = realloc (p_sectors, (i_tracks + 1) * sizeof (int));
++            if (buf == NULL)
++                goto error;
++            p_sectors = buf;
++            p_sectors[i_tracks] = MSF_TO_LBA(i_min, i_sec, i_frame);
++            msg_Dbg( p_this, "vcd track %i begins at sector:%i",
++                     i_tracks, p_sectors[i_tracks] );
++            i_tracks++;
++            break;
+         }
+-
+-        /* fill in the last entry */
+-        p_sectors[i_tracks] = lseek(p_vcddev->i_vcdimage_handle, 0, SEEK_END)
+-                                / VCD_SECTOR_SIZE;
+-        msg_Dbg( p_this, "vcd track %i, begins at sector:%i",
+-                 i_tracks, p_sectors[i_tracks] );
+-        p_vcddev->i_tracks = i_tracks;
+-        p_vcddev->p_sectors = malloc( (i_tracks + 1) * sizeof(int) );
+-        memcpy( p_vcddev->p_sectors, p_sectors, (i_tracks + 1) * sizeof(int) );
+-
+     }
+ 
++    /* fill in the last entry */
++    int *buf = realloc (p_sectors, (i_tracks + 1) * sizeof (int));
++    if (buf == NULL)
++        goto error;
++    p_sectors = buf;
++    p_sectors[i_tracks] = lseek(p_vcddev->i_vcdimage_handle, 0, SEEK_END)
++                                 / VCD_SECTOR_SIZE;
++    msg_Dbg( p_this, "vcd track %i, begins at sector:%i",
++             i_tracks, p_sectors[i_tracks] );
++    p_vcddev->i_tracks = ++i_tracks;
++    p_vcddev->p_sectors = p_sectors;
++    i_ret = 0;
++
+ error:
+     if( cuefile ) fclose( cuefile );
++    if( p_sectors ) free( p_sectors );
+     if( psz_cuefile ) free( psz_cuefile );
+     if( psz_vcdfile ) free( psz_vcdfile );free( p_sectors );
author	Martin Wilke <miwi@FreeBSD.org>	2008-11-09 16:04:23 +0000
committer	Martin Wilke <miwi@FreeBSD.org>	2008-11-09 16:04:23 +0000
commit	fc460102f4d1ebf49d8c2943ca6b1843dee5a7e7 (patch)
tree	0d6ffbe88c46934e82d873467141b5c9ff66f6f3 /multimedia
parent	46783045ee8652c8e30216c4a3e6b005c44b8492 (diff)
download	ports-fc460102f4d1ebf49d8c2943ca6b1843dee5a7e7.tar.gz ports-fc460102f4d1ebf49d8c2943ca6b1843dee5a7e7.zip