video/mplayer: added security patch, fixes http://www.ocert.org/advisories/ocert-2008-013.html

(cherry-picked from commit 273b25c4bd43328950fcaf43d518134ec23f2aca)

4 files changed, 36 insertions, 2 deletions

diff --git a/video/mplayer/DETAILS b/video/mplayer/DETAILS
index 6b7da33709..3c68d31d8a 100755
--- a/video/mplayer/DETAILS
+++ b/video/mplayer/DETAILS
@@ -18,7 +18,7 @@ else
    SOURCE_URL[2]=ftp://ftp5.mplayerhq.hu/MPlayer/releases/$SOURCE
       SOURCE_GPG="gurus.gpg:$SOURCE.sig:WORKS_FOR_ME"
 SOURCE_DIRECTORY=$BUILD_DIRECTORY/MPlayer-$VERSION
-  SECURITY_PATCH=2
+  SECURITY_PATCH=3
 fi
       PATCHLEVEL=1
         WEB_SITE=http://www.mplayerhq.hu
diff --git a/video/mplayer/HISTORY b/video/mplayer/HISTORY
index 9f091dc8c6..267ab6ca9e 100644..100755
--- a/video/mplayer/HISTORY
+++ b/video/mplayer/HISTORY
@@ -1,3 +1,8 @@
+2008-09-30 Florian Franzmann <siflfran@hawo.stw.uni-erlangen.de>
+	* PRE_BUILD, mplayer_demux_real.patch: added security relevant
+	  patch, fixes http://www.ocert.org/advisories/ocert-2008-013.html
+	* DETAILS: SECURITY_PATCH++
+
 2008-07-14 Remko van der Vossen <wich@sourcemage.org>
 	* INSTALL: Create /usr/share/pixmaps before installing icon, otherwise
 	  /usr/share/pixmaps will be a file
diff --git a/video/mplayer/PRE_BUILD b/video/mplayer/PRE_BUILD
index e1581bc842..4a7ebed082 100755
--- a/video/mplayer/PRE_BUILD
+++ b/video/mplayer/PRE_BUILD
@@ -4,7 +4,8 @@ if [[ ! $MPLAYER_SVN = y ]]; then
     for i in demux_audio_fix_20080129.diff \
         demux_mov_fix_20080129.diff \
         stream_cddb_fix_20080120.diff \
-        url_fix_20080120.diff; do
+        url_fix_20080120.diff \
+        mplayer_demux_real.patch; do
         patch -p0 < $SCRIPT_DIRECTORY/$i
     done
 fi
diff --git a/video/mplayer/mplayer_demux_real.patch b/video/mplayer/mplayer_demux_real.patch
new file mode 100755
index 0000000000..88566fe0b0
--- /dev/null
+++ b/video/mplayer/mplayer_demux_real.patch
@@ -0,0 +1,28 @@
+Index: libmpdemux/demux_real.c
+===================================================================
+--- libmpdemux/demux_real.c	(revision 27605)
++++ libmpdemux/demux_real.c	(working copy)
+@@ -947,6 +947,7 @@
+ 			    // last fragment!
+ 			    if(dp_hdr->len!=vpkg_length-vpkg_offset)
+ 				mp_msg(MSGT_DEMUX,MSGL_V,"warning! assembled.len=%d  frag.len=%d  total.len=%d  \n",dp->len,vpkg_offset,vpkg_length-vpkg_offset);
++			    if (vpkg_offset > dp->len - sizeof(dp_hdr_t) - dp_hdr->len) vpkg_offset = dp->len - sizeof(dp_hdr_t) - dp_hdr->len;
+             		    stream_read(demuxer->stream, dp_data+dp_hdr->len, vpkg_offset);
+ 			    if((dp_data[dp_hdr->len]&0x20) && (sh_video->format==0x30335652)) --dp_hdr->chunks; else
+ 			    dp_hdr->len+=vpkg_offset;
+@@ -970,6 +971,7 @@
+ 			// non-last fragment:
+ 			if(dp_hdr->len!=vpkg_offset)
+ 			    mp_msg(MSGT_DEMUX,MSGL_V,"warning! assembled.len=%d  offset=%d  frag.len=%d  total.len=%d  \n",dp->len,vpkg_offset,len,vpkg_length);
++			if (len > dp->len - sizeof(dp_hdr_t) - dp_hdr->len) len = dp->len - sizeof(dp_hdr_t) - dp_hdr->len;
+             		stream_read(demuxer->stream, dp_data+dp_hdr->len, len);
+ 			if((dp_data[dp_hdr->len]&0x20) && (sh_video->format==0x30335652)) --dp_hdr->chunks; else
+ 			dp_hdr->len+=len;
+@@ -992,6 +994,7 @@
+ 		extra[0]=1; extra[1]=0; // offset of the first chunk
+ 		if(0x00==(vpkg_header&0xc0)){
+ 		    // first fragment:
++		    if (len > dp->len - sizeof(dp_hdr_t)) len = dp->len - sizeof(dp_hdr_t);
+ 		    dp_hdr->len=len;
+ 		    stream_read(demuxer->stream, dp_data, len);
+ 		    ds->asf_packet=dp;