Changes - j0ke.net Open Build Service

Changes of Revision 17

[-] [+]	Changed	MPlayer.spec
@@ -18,6 +18,10 @@ Patch7: MPlayer-1.0rc1-warn.patch Patch8: MPlayer-comparison.patch Patch18: MPlayer-pci_linux_gnu_source.patch +Patch20: demux_audio_fix_20080129.diff +Patch21: demux_mov_fix_20080129.diff +Patch22: stream_cddb_fix_20080120.diff +Patch23: url_fix_20080120.diff URL: http://www.mplayerhq.hu BuildRoot: %{_tmppath}/%{name}-%{version}-build Prefix: %{_prefix} @@ -76,6 +80,10 @@ %patch7 %patch8 -p1 %patch18 +%patch20 +%patch21 +%patch22 +%patch23 %build @@ -157,6 +165,12 @@ %{_datadir}/pixmaps/* %changelog +* Tue Feb 05 2008 Carsten Schoene <cs@linux-administrator.com> +- add patches for security fixes: + - CORE-2008-1218 (demux_audio.c) + - CORE-2008-0122 (demux_mov.c) + - (url.c) + - (stream_cddb.c) * Sun Sep 30 2007 Carsten Schoene <cs@linux-administrator.com> - import for SLE_10 build
[-] [+]	Added	demux_audio_fix_20080129.diff ^
@@ -0,0 +1,13 @@ +Index: demux_audio.c +=================================================================== +--- libmpdemux/demux_audio.c (revision 24724) ++++ libmpdemux/demux_audio.c (working copy) +@@ -229,6 +229,8 @@ + ptr += 4; + + comment = ptr; ++ if (&comment[length] < comments \|\| &comment[length] >= &comments[blk_len]) ++ return; + c = comment[length]; + comment[length] = 0; +
[-] [+]	Added	demux_mov_fix_20080129.diff ^
@@ -0,0 +1,47 @@ +Index: demux_mov.c +=================================================================== +--- libmpdemux/demux_mov.c (revision 24724) ++++ libmpdemux/demux_mov.c (working copy) +@@ -173,11 +173,12 @@ + i=trak->chunkmap_size; + while(i>0){ + --i; +- for(j=trak->chunkmap[i].first;j<last;j++){ ++ j=FFMAX(trak->chunkmap[i].first, 0); ++ for(;j<last;j++){ + trak->chunks[j].desc=trak->chunkmap[i].sdid; + trak->chunks[j].size=trak->chunkmap[i].spc; + } +- last=trak->chunkmap[i].first; ++ last=FFMIN(trak->chunkmap[i].first, trak->chunks_size); + } + + #if 0 +@@ -235,6 +236,8 @@ + s=0; + for(j=0;j<trak->durmap_size;j++){ + for(i=0;i<trak->durmap[j].num;i++){ ++ if (s >= trak->samples_size) ++ break; + trak->samples[s].pts=pts; + ++s; + pts+=trak->durmap[j].dur; +@@ -246,6 +249,8 @@ + for(j=0;j<trak->chunks_size;j++){ + off_t pos=trak->chunks[j].pos; + for(i=0;i<trak->chunks[j].size;i++){ ++ if (s >= trak->samples_size) ++ break; + trak->samples[s].pos=pos; + mp_msg(MSGT_DEMUX, MSGL_DBG3, "Sample %5d: pts=%8d off=0x%08X size=%d\n",s, + trak->samples[s].pts, +@@ -1568,8 +1573,7 @@ + if( udta_len>udta_size) + udta_len=udta_size; + { +- char dump[udta_len-4]; +- stream_read(demuxer->stream, (char *)&dump, udta_len-4-4); ++ stream_skip(demuxer->stream, udta_len-4-4); + udta_size -= udta_len; + } + }
[-] [+]	Added	stream_cddb_fix_20080120.diff ^
@@ -0,0 +1,34 @@ +Index: stream_cddb.c +=================================================================== +--- stream/stream_cddb.c (revision 24724) ++++ stream/stream_cddb.c (working copy) +@@ -53,6 +53,7 @@ + #include "version.h" + #include "stream.h" + #include "network.h" ++#include "libavutil/intreadwrite.h" + + #define DEFAULT_FREEDB_SERVER "freedb.freedb.org" + #define DEFAULT_CACHE_DIR "/.cddb/" +@@ -453,8 +454,9 @@ + } else { + len = ptr2-ptr+1; + } ++ len = FFMIN(sizeof(album_title) - 1, len); + strncpy(album_title, ptr, len); +- album_title[len-2]='\0'; ++ album_title[len]='\0'; + } + mp_msg(MSGT_DEMUX, MSGL_STATUS, MSGTR_MPDEMUX_CDDB_ParseOKFoundAlbumTitle, album_title); + return 0; +@@ -490,8 +492,9 @@ + } else { + len = ptr2-ptr+1; + } ++ len = FFMIN(sizeof(album_title) - 1, len); + strncpy(album_title, ptr, len); +- album_title[len-2]='\0'; ++ album_title[len]='\0'; + } + mp_msg(MSGT_DEMUX, MSGL_STATUS, MSGTR_MPDEMUX_CDDB_ParseOKFoundAlbumTitle, album_title); + return cddb_request_titles(cddb_data);
[-] [+]	Added	url_fix_20080120.diff ^
@@ -0,0 +1,12 @@ +Index: url.c +=================================================================== +--- stream/url.c (revision 24724) ++++ stream/url.c (working copy) +@@ -328,6 +328,7 @@ + } + } + ++ tmp = NULL; + while(i < len) { + // look for the next char that must be kept + for (j=i;j<len;j++) {