Security fix for MPlayer.

Wed, 06 Jun 2007 21:54:30 -0700 

The following diff fixes a stack overflow in the CDDB handling code in
MPlayer.

CVE-2007-2948


Index: Makefile
===================================================================
RCS file: /cvs/ports/x11/mplayer/Makefile,v
retrieving revision 1.118
diff -u -p -r1.118 Makefile
--- Makefile    28 Apr 2007 11:09:51 -0000      1.118
+++ Makefile    7 Jun 2007 04:05:39 -0000
@@ -7,7 +7,7 @@ COMMENT=                "Movie player supporting MPEG,
 
 DISTNAME=              MPlayer-1.0pre8
 DIST_SUBDIR=           mplayer
-PKGNAME=               ${DISTNAME:L}p13
+PKGNAME=               ${DISTNAME:L}p14
 CATEGORIES=            x11
 EXTRACT_SUFX=          .tar.bz2
 
Index: patches/patch-libmpdemux_cddb_c
===================================================================
RCS file: patches/patch-libmpdemux_cddb_c
diff -N patches/patch-libmpdemux_cddb_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-libmpdemux_cddb_c     7 Jun 2007 04:21:35 -0000
@@ -0,0 +1,30 @@
+$OpenBSD$
+--- libmpdemux/cddb.c.orig     Thu Jun  7 00:18:16 2007
++++ libmpdemux/cddb.c  Thu Jun  7 00:21:18 2007
+@@ -437,7 +437,7 @@ cddb_read_parse(HTTP_header_t *http_hdr, cddb_data_t *
+ 
+       switch(status) {
+               case 210:
+-                      ret = sscanf( http_hdr->body, "%d %s %08lx", &status, 
category, &disc_id);
++                      ret = sscanf( http_hdr->body, "%d %99s %08lx", &status, 
category, &disc_id);
+                       if( ret!=3 ) {
+                               mp_msg(MSGT_DEMUX, MSGL_ERR, MSGTR_ParseError);
+                               return -1;
+@@ -498,7 +498,7 @@ cddb_parse_matches_list(HTTP_header_t *http_hdr, cddb_
+       ptr++;
+       // We have a list of exact/inexact matches, so which one do we use?
+       // So let's take the first one.
+-      ret = sscanf(ptr, "%s %08lx %s", cddb_data->category, 
&(cddb_data->disc_id), album_title);
++      ret = sscanf(ptr, "%99s %08lx %99s", cddb_data->category, 
&(cddb_data->disc_id), album_title);
+       if( ret!=3 ) {
+               mp_msg(MSGT_DEMUX, MSGL_ERR, MSGTR_ParseError);
+               return -1;
+@@ -535,7 +535,7 @@ cddb_query_parse(HTTP_header_t *http_hdr, cddb_data_t 
+       switch(status) {
+               case 200:
+                       // Found exact match
+-                      ret = sscanf(http_hdr->body, "%d %s %08lx %s", &status, 
cddb_data->category, &(cddb_data->disc_id), album_title);
++                      ret = sscanf(http_hdr->body, "%d %99s %08lx %99s", 
&status, cddb_data->category, &(cddb_data->disc_id), album_title);
+                       if( ret!=4 ) {
+                               mp_msg(MSGT_DEMUX, MSGL_ERR, MSGTR_ParseError);
+                               return -1;

Reply via email to