From riggs@riggiland.dyndns.org  Thu Feb 23 20:56:50 2006
Return-Path: <riggs@riggiland.dyndns.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 657ED16A420
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 23 Feb 2006 20:56:50 +0000 (GMT)
	(envelope-from riggs@riggiland.dyndns.org)
Received: from mail-out.m-online.net (mail-out.m-online.net [212.18.0.9])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B60E643D45
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 23 Feb 2006 20:56:49 +0000 (GMT)
	(envelope-from riggs@riggiland.dyndns.org)
Received: from mail01.m-online.net (svr21.m-online.net [192.168.3.149])
	by mail-out.m-online.net (Postfix) with ESMTP id 3D9E4721AE
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 23 Feb 2006 21:56:48 +0100 (CET)
Received: from riggiland.dyndns.org (ppp-62-245-209-115.mnet-online.de [62.245.209.115])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.m-online.net (Postfix) with ESMTP id 0B400B9342
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 23 Feb 2006 21:56:47 +0100 (CET)
Received: from marvin.riggiland.au (localhost [127.0.0.1])
	by riggiland.dyndns.org (8.13.4/8.13.4) with ESMTP id k1NKukb9089164
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 23 Feb 2006 21:56:46 +0100 (CET)
	(envelope-from riggs@marvin.riggiland.au)
Received: (from riggs@localhost)
	by marvin.riggiland.au (8.13.4/8.13.4/Submit) id k1NKukVC089163;
	Thu, 23 Feb 2006 21:56:46 +0100 (CET)
	(envelope-from riggs)
Message-Id: <200602232056.k1NKukVC089163@marvin.riggiland.au>
Date: Thu, 23 Feb 2006 21:56:46 +0100 (CET)
From: "Thomas E. Zander" <riggs@rrr.de>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [Maintainer-update] multimedia/mplayer (buf overflow)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         93767
>Category:       ports
>Synopsis:       [Maintainer-update] multimedia/mplayer (buf overflow)
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    vd
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Feb 23 21:00:14 GMT 2006
>Closed-Date:    Thu Mar 09 08:49:32 GMT 2006
>Last-Modified:  Thu Mar 09 08:49:32 GMT 2006
>Originator:     Thomas E. Zander
>Release:        FreeBSD 6.0-STABLE i386
>Organization:
>Environment:
System: FreeBSD marvin.riggiland.au 6.0-STABLE
>Description:
A potential mplayer vulnerability (heap overflow) has been detected
in the ASF demuxer.
Although at the moment no exploit is known, it is potentially dangerous,
especially as streaming content might be misused for remote exploits.
This pr adds a new file,

files/patch-libmpdemux-demuxer.h

which contains the official patch to address this issue.
>How-To-Repeat:
>Fix:
Patch for multimedia/mplayer:

diff -ruN /usr/ports/multimedia/mplayer/Makefile mplayer/Makefile
--- /usr/ports/multimedia/mplayer/Makefile	Tue Jan 10 07:23:45 2006
+++ mplayer/Makefile	Thu Feb 23 09:35:36 2006
@@ -270,7 +270,7 @@
 
 PORTNAME=	mplayer
 PORTVERSION=	0.99.7
-PORTREVISION=	9
+PORTREVISION=	10
 CATEGORIES=	multimedia audio ipv6
 MASTER_SITES=	http://www1.mplayerhq.hu/MPlayer/releases/ \
 		http://www2.mplayerhq.hu/MPlayer/releases/ \
diff -ruN /usr/ports/multimedia/mplayer/files/patch-libmpdemux-demuxer.h mplayer/files/patch-libmpdemux-demuxer.h
--- /usr/ports/multimedia/mplayer/files/patch-libmpdemux-demuxer.h	Thu Jan  1 01:00:00 1970
+++ mplayer/files/patch-libmpdemux-demuxer.h	Thu Feb 23 07:15:35 2006
@@ -0,0 +1,43 @@
+Index: libmpdemux/demuxer.h
+===================================================================
+RCS file: /cvsroot/mplayer/main/libmpdemux/demuxer.h,v
+retrieving revision 1.87
+retrieving revision 1.90
+diff -u -r1.87 -r1.90
+--- libmpdemux/demuxer.h	9 Feb 2006 19:39:51 -0000	1.87
++++ libmpdemux/demuxer.h	12 Feb 2006 17:01:30 -0000	1.90
+@@ -190,17 +190,19 @@
+   dp->flags=0;
+   dp->refcount=1;
+   dp->master=NULL;
+-  dp->buffer=len?(unsigned char*)malloc(len+8):NULL;
+-  if(len) memset(dp->buffer+len,0,8);
++  dp->buffer=NULL;
++  if (len > 0 && (dp->buffer = (unsigned char *)malloc(len + 8)))
++    memset(dp->buffer + len, 0, 8);
++  else
++    dp->len = 0;
+   return dp;
+ }
+ 
+ inline static void resize_demux_packet(demux_packet_t* dp, int len)
+ {
+-  if(len)
++  if(len > 0)
+   {
+      dp->buffer=(unsigned char *)realloc(dp->buffer,len+8);
+-     memset(dp->buffer+len,0,8);
+   }
+   else
+   {
+@@ -208,6 +210,10 @@
+      dp->buffer=NULL;
+   }
+   dp->len=len;
++  if (dp->buffer)
++     memset(dp->buffer + len, 0, 8);
++  else
++     dp->len = 0;
+ }
+ 
+ inline static demux_packet_t* clone_demux_packet(demux_packet_t* pack){
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->vd 
Responsible-Changed-By: vd 
Responsible-Changed-When: Thu Mar 9 06:42:40 UTC 2006 
Responsible-Changed-Why:  
Grab 

http://www.freebsd.org/cgi/query-pr.cgi?pr=93767 
State-Changed-From-To: open->closed 
State-Changed-By: vd 
State-Changed-When: Thu Mar 9 08:42:46 UTC 2006 
State-Changed-Why:  
Committed, thanks! 
Some hints: 
* you can use Tools/scripts/splitpatch.pl to create "standard" patch filenames 
* to speedup the process you can include words like patch, fix, security in the synopsis of the PR 

http://www.freebsd.org/cgi/query-pr.cgi?pr=93767 
>Unformatted:
