From owner-freebsd-ports-bugs@FreeBSD.ORG Thu Feb 23 21:00:26 2006 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 234E116A422 for ; Thu, 23 Feb 2006 21:00:26 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A0E6C43D69 for ; Thu, 23 Feb 2006 21:00:15 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k1NL0FgM035252 for ; Thu, 23 Feb 2006 21:00:15 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k1NL0FCM035251; Thu, 23 Feb 2006 21:00:15 GMT (envelope-from gnats) Resent-Date: Thu, 23 Feb 2006 21:00:15 GMT Resent-Message-Id: <200602232100.k1NL0FCM035251@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "Thomas E. Zander" Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 657ED16A420 for ; Thu, 23 Feb 2006 20:56:50 +0000 (GMT) (envelope-from riggs@riggiland.dyndns.org) Received: from mail-out.m-online.net (mail-out.m-online.net [212.18.0.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id B60E643D45 for ; Thu, 23 Feb 2006 20:56:49 +0000 (GMT) (envelope-from riggs@riggiland.dyndns.org) Received: from mail01.m-online.net (svr21.m-online.net [192.168.3.149]) by mail-out.m-online.net (Postfix) with ESMTP id 3D9E4721AE for ; Thu, 23 Feb 2006 21:56:48 +0100 (CET) Received: from riggiland.dyndns.org (ppp-62-245-209-115.mnet-online.de [62.245.209.115]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.m-online.net (Postfix) with ESMTP id 0B400B9342 for ; Thu, 23 Feb 2006 21:56:47 +0100 (CET) Received: from marvin.riggiland.au (localhost [127.0.0.1]) by riggiland.dyndns.org (8.13.4/8.13.4) with ESMTP id k1NKukb9089164 for ; Thu, 23 Feb 2006 21:56:46 +0100 (CET) (envelope-from riggs@marvin.riggiland.au) Received: (from riggs@localhost) by marvin.riggiland.au (8.13.4/8.13.4/Submit) id k1NKukVC089163; Thu, 23 Feb 2006 21:56:46 +0100 (CET) (envelope-from riggs) Message-Id: <200602232056.k1NKukVC089163@marvin.riggiland.au> Date: Thu, 23 Feb 2006 21:56:46 +0100 (CET) From: "Thomas E. Zander" To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/93767: [Maintainer-update] multimedia/mplayer (buf overflow) X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2006 21:00:26 -0000 >Number: 93767 >Category: ports >Synopsis: [Maintainer-update] multimedia/mplayer (buf overflow) >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Thu Feb 23 21:00:14 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Thomas E. Zander >Release: FreeBSD 6.0-STABLE i386 >Organization: >Environment: System: FreeBSD marvin.riggiland.au 6.0-STABLE >Description: A potential mplayer vulnerability (heap overflow) has been detected in the ASF demuxer. Although at the moment no exploit is known, it is potentially dangerous, especially as streaming content might be misused for remote exploits. This pr adds a new file, files/patch-libmpdemux-demuxer.h which contains the official patch to address this issue. >How-To-Repeat: >Fix: Patch for multimedia/mplayer: diff -ruN /usr/ports/multimedia/mplayer/Makefile mplayer/Makefile --- /usr/ports/multimedia/mplayer/Makefile Tue Jan 10 07:23:45 2006 +++ mplayer/Makefile Thu Feb 23 09:35:36 2006 @@ -270,7 +270,7 @@ PORTNAME= mplayer PORTVERSION= 0.99.7 -PORTREVISION= 9 +PORTREVISION= 10 CATEGORIES= multimedia audio ipv6 MASTER_SITES= http://www1.mplayerhq.hu/MPlayer/releases/ \ http://www2.mplayerhq.hu/MPlayer/releases/ \ diff -ruN /usr/ports/multimedia/mplayer/files/patch-libmpdemux-demuxer.h mplayer/files/patch-libmpdemux-demuxer.h --- /usr/ports/multimedia/mplayer/files/patch-libmpdemux-demuxer.h Thu Jan 1 01:00:00 1970 +++ mplayer/files/patch-libmpdemux-demuxer.h Thu Feb 23 07:15:35 2006 @@ -0,0 +1,43 @@ +Index: libmpdemux/demuxer.h +=================================================================== +RCS file: /cvsroot/mplayer/main/libmpdemux/demuxer.h,v +retrieving revision 1.87 +retrieving revision 1.90 +diff -u -r1.87 -r1.90 +--- libmpdemux/demuxer.h 9 Feb 2006 19:39:51 -0000 1.87 ++++ libmpdemux/demuxer.h 12 Feb 2006 17:01:30 -0000 1.90 +@@ -190,17 +190,19 @@ + dp->flags=0; + dp->refcount=1; + dp->master=NULL; +- dp->buffer=len?(unsigned char*)malloc(len+8):NULL; +- if(len) memset(dp->buffer+len,0,8); ++ dp->buffer=NULL; ++ if (len > 0 && (dp->buffer = (unsigned char *)malloc(len + 8))) ++ memset(dp->buffer + len, 0, 8); ++ else ++ dp->len = 0; + return dp; + } + + inline static void resize_demux_packet(demux_packet_t* dp, int len) + { +- if(len) ++ if(len > 0) + { + dp->buffer=(unsigned char *)realloc(dp->buffer,len+8); +- memset(dp->buffer+len,0,8); + } + else + { +@@ -208,6 +210,10 @@ + dp->buffer=NULL; + } + dp->len=len; ++ if (dp->buffer) ++ memset(dp->buffer + len, 0, 8); ++ else ++ dp->len = 0; + } + + inline static demux_packet_t* clone_demux_packet(demux_packet_t* pack){ >Release-Note: >Audit-Trail: >Unformatted: