diff options
author | Martin Wilke <miwi@FreeBSD.org> | 2008-11-09 16:04:23 +0000 |
---|---|---|
committer | Martin Wilke <miwi@FreeBSD.org> | 2008-11-09 16:04:23 +0000 |
commit | fc460102f4d1ebf49d8c2943ca6b1843dee5a7e7 (patch) | |
tree | 0d6ffbe88c46934e82d873467141b5c9ff66f6f3 /multimedia | |
parent | 46783045ee8652c8e30216c4a3e6b005c44b8492 (diff) | |
download | ports-fc460102f4d1ebf49d8c2943ca6b1843dee5a7e7.tar.gz ports-fc460102f4d1ebf49d8c2943ca6b1843dee5a7e7.zip |
Fix a stack overflow vulnerability while parsing malformed cue files.
The vulnerability may be exploited by a (remote) attacker to execute
arbitrary code in the context of VLC media player.
PR: 128660
Submitted by: "Joseph S. Atkinson" <jsa@wickedmachine.net> (maintainer)
Security: http://www.vuxml.org/freebsd/4b09378e-addb-11dd-a578-0030843d3802.html
Notes
Notes:
svn path=/head/; revision=222605
Diffstat (limited to 'multimedia')
-rw-r--r-- | multimedia/vlc/Makefile | 2 | ||||
-rw-r--r-- | multimedia/vlc/files/patch-modules__access__vcd__cdrom.c | 111 |
2 files changed, 112 insertions, 1 deletions
diff --git a/multimedia/vlc/Makefile b/multimedia/vlc/Makefile index 543d0465bf01..a9a811d8344e 100644 --- a/multimedia/vlc/Makefile +++ b/multimedia/vlc/Makefile @@ -10,7 +10,7 @@ PORTNAME= vlc DISTVERSION= 0.8.6i -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 2 CATEGORIES= multimedia audio ipv6 net www MASTER_SITES= http://download.videolan.org/pub/videolan/vlc/${DISTVERSION}/ \ diff --git a/multimedia/vlc/files/patch-modules__access__vcd__cdrom.c b/multimedia/vlc/files/patch-modules__access__vcd__cdrom.c new file mode 100644 index 000000000000..837a231b0f21 --- /dev/null +++ b/multimedia/vlc/files/patch-modules__access__vcd__cdrom.c @@ -0,0 +1,111 @@ +--- modules/access/vcd/cdrom.c ++++ modules/access/vcd/cdrom.c +@@ -820,6 +820,7 @@ static int OpenVCDImage( vlc_object_t * p_this, const char *psz_dev, + char *psz_vcdfile = NULL; + char *psz_cuefile = NULL; + FILE *cuefile = NULL; ++ int *p_sectors = NULL; + char line[1024]; + bool b_found = false; + +@@ -858,7 +859,6 @@ static int OpenVCDImage( vlc_object_t * p_this, const char *psz_dev, + cuefile = utf8_fopen( psz_cuefile, "rt" ); + if( cuefile == NULL ) + { +- i_ret = -1; + msg_Dbg( p_this, "could not find .cue file" ); + goto error; + } +@@ -904,58 +904,56 @@ static int OpenVCDImage( vlc_object_t * p_this, const char *psz_dev, + } + + if( p_vcddev->i_vcdimage_handle == -1) +- { +- i_ret = -1; + goto error; +- } +- else i_ret = 0; + + /* Try to parse the i_tracks and p_sectors info so we can just forget + * about the cuefile */ +- if( i_ret == 0 ) ++ size_t i_tracks = 0; ++ ++ while( fgets( line, 1024, cuefile ) ) + { +- int p_sectors[100]; +- int i_tracks = 0; +- int i_num; +- char psz_dummy[10]; ++ /* look for a TRACK line */ ++ char psz_dummy[9]; ++ if( !sscanf( line, "%9s", psz_dummy ) || strcmp(psz_dummy, "TRACK") ) ++ continue; + ++ /* look for an INDEX line */ + while( fgets( line, 1024, cuefile ) ) + { +- /* look for a TRACK line */ +- if( !sscanf( line, "%9s", psz_dummy ) || +- strcmp(psz_dummy, "TRACK") ) +- continue; +- +- /* look for an INDEX line */ +- while( fgets( line, 1024, cuefile ) ) +- { +- int i_min, i_sec, i_frame; ++ int i_num, i_min, i_sec, i_frame; + +- if( (sscanf( line, "%9s %2u %2u:%2u:%2u", psz_dummy, &i_num, +- &i_min, &i_sec, &i_frame ) != 5) || (i_num != 1) ) +- continue; ++ if( (sscanf( line, "%*9s %2u %2u:%2u:%2u", &i_num, ++ &i_min, &i_sec, &i_frame ) != 4) || (i_num != 1) ) ++ continue; + +- i_tracks++; +- p_sectors[i_tracks - 1] = MSF_TO_LBA(i_min, i_sec, i_frame); +- msg_Dbg( p_this, "vcd track %i begins at sector:%i", +- i_tracks - 1, p_sectors[i_tracks - 1] ); +- break; +- } ++ int *buf = realloc (p_sectors, (i_tracks + 1) * sizeof (int)); ++ if (buf == NULL) ++ goto error; ++ p_sectors = buf; ++ p_sectors[i_tracks] = MSF_TO_LBA(i_min, i_sec, i_frame); ++ msg_Dbg( p_this, "vcd track %i begins at sector:%i", ++ i_tracks, p_sectors[i_tracks] ); ++ i_tracks++; ++ break; + } +- +- /* fill in the last entry */ +- p_sectors[i_tracks] = lseek(p_vcddev->i_vcdimage_handle, 0, SEEK_END) +- / VCD_SECTOR_SIZE; +- msg_Dbg( p_this, "vcd track %i, begins at sector:%i", +- i_tracks, p_sectors[i_tracks] ); +- p_vcddev->i_tracks = i_tracks; +- p_vcddev->p_sectors = malloc( (i_tracks + 1) * sizeof(int) ); +- memcpy( p_vcddev->p_sectors, p_sectors, (i_tracks + 1) * sizeof(int) ); +- + } + ++ /* fill in the last entry */ ++ int *buf = realloc (p_sectors, (i_tracks + 1) * sizeof (int)); ++ if (buf == NULL) ++ goto error; ++ p_sectors = buf; ++ p_sectors[i_tracks] = lseek(p_vcddev->i_vcdimage_handle, 0, SEEK_END) ++ / VCD_SECTOR_SIZE; ++ msg_Dbg( p_this, "vcd track %i, begins at sector:%i", ++ i_tracks, p_sectors[i_tracks] ); ++ p_vcddev->i_tracks = ++i_tracks; ++ p_vcddev->p_sectors = p_sectors; ++ i_ret = 0; ++ + error: + if( cuefile ) fclose( cuefile ); ++ if( p_sectors ) free( p_sectors ); + if( psz_cuefile ) free( psz_cuefile ); + if( psz_vcdfile ) free( psz_vcdfile );free( p_sectors ); |