ports/opt
4
3
Fork 1
Code Issues 1 Pull Requests Activity
45b497f3c1
opt/mpg123/mpg123-0.59s-security.patch
Juergen Daubert 15915cafaa mpg123: fix for make 3.81, split up patch
2006-06-16 06:47:03 +00:00

359 lines
10 KiB
Diff
Raw Blame History

### CAN-2003-0577
diff -urN mpg123.old/common.c mpg123/common.c
--- mpg123.old/common.c 2001-05-16 09:56:56.000000000 -0700
+++ mpg123/common.c 2003-09-30 00:31:24.000000000 -0700
@@ -127,7 +127,7 @@
return FALSE;
if(!((head>>17)&3))
return FALSE;
- if( ((head>>12)&0xf) == 0xf)
+ if( ((head>>12)&0xf) == 0xf || ((head>>12)&0xf) == 0)
return FALSE;
if( ((head>>10)&0x3) == 0x3 )
return FALSE;
@@ -140,7 +140,7 @@
* -1: giving up
* 1: synched
*/
-#define MAX_INPUT_FRAMESIZE 1920
+#define MAX_INPUT_FRAMESIZE 4096
#define SYNC_HEAD_MASK 0xffff0000
#define SYNC_HEAD_MASK_FF 0x0000f000
#define LOOK_AHEAD_NUM 3
@@ -579,7 +579,11 @@
fprintf(stderr,"Sorry, unknown layer type.\n");
return (0);
}
-
+ if (fr->framesize>MAX_INPUT_FRAMESIZE) {
+ fprintf(stderr,"Frame size too big.\n");
+ fr->framesize = MAX_INPUT_FRAMESIZE;
+ return 0;
+ }
if(!fr->bitrate_index) {
/* fprintf(stderr,"Warning, Free format not heavily tested: (head %08lx)\n",newhead); */
fr->framesize = 0;
### CAN-2003-0865
diff -Nru mpg123.orig/httpget.c mpg123/httpget.c
--- mpg123.orig/httpget.c 2006-06-16 08:04:50.000000000 +0200
+++ mpg123/httpget.c 2006-06-16 08:05:14.000000000 +0200
@@ -55,7 +55,7 @@
#endif
int pos = 0;
- while(1) {
+ while(maxlen>pos) {
if( read(fileno(f),string+pos,1) == 1) {
pos++;
if(string[pos-1] == '\n') {
### CAN-2004-0805
--- mpg123/layer2.c.orig 2004-09-14 17:15:48.000000000 -0400
+++ mpg123/layer2.c 2004-09-14 17:18:49.000000000 -0400
@@ -287,6 +287,12 @@
fr->jsbound = (fr->mode == MPG_MD_JOINT_STEREO) ?
(fr->mode_ext<<2)+4 : fr->II_sblimit;
+ /* security fix. */
+ if (fr->jsbound > fr->II_sblimit) {
+ fprintf(stderr, "Truncating stereo boundary to sideband limit.\n");
+ fr->jsbound=fr->II_sblimit;
+ }
+
if(stereo == 1 || single == 3)
single = 0;
### CAN-2004-0982
--- mpg123-orig/httpget.c 2000-10-30 18:45:12.000000000 +0100
+++ mpg123-myfix/httpget.c 2006-05-22 02:45:59.000000000 +0200
@@ -3,6 +3,11 @@
*
* Oliver Fromme <oliver.fromme@heim3.tu-clausthal.de>
* Wed Apr 9 20:57:47 MET DST 1997
+ *
+ * Modified by Jeremy Huddleston <eradicator@gentoo.org> 2004.10.21 per
+ * http://bugs.gentoo.org/show_bug.cgi?id=68343
+ * http://www.barrossecurity.com/advisories/mpg123_getauthfromurl_bof_advisory.txt
+ *
*/
#undef ALSA
@@ -221,12 +226,12 @@ unsigned char *proxyport;
#define ACCEPT_HEAD "Accept: audio/mpeg, audio/x-mpegurl, */*\r\n"
char *httpauth = NULL;
-char httpauth1[256];
+char *httpauth1 = NULL;
int http_open (char *url)
{
char *purl, *host, *request, *sptr;
- int linelength;
+ unsigned int linelength, linelengthbase, purl_length;
unsigned long myip;
unsigned char *myport;
int sock;
@@ -270,53 +275,80 @@ int http_open (char *url)
exit(1);
}
-
- if ((linelength = strlen(url)+200) < 1024)
- linelength = 1024;
- if (!(request = malloc(linelength)) || !(purl = malloc(1024))) {
+ /*
+ * The length of purl is upper bound by 3*strlen(url) + 1 if everything
+ * in it is a space. For HTTP redirections, we need something longer;
+ * 1024 bytes were arbitrarily chosen.
+ */
+ purl_length = strlen(url) * 3 + 1;
+ if (purl_length < 1024) purl_length = 1024;
+ purl = (char *)malloc(sizeof(char) * purl_length);
+ if (!purl) {
fprintf (stderr, "malloc() failed, out of memory.\n");
exit (1);
}
- /*
- * 2000-10-21:
- * We would like spaces to be automatically converted to %20's when
- * fetching via HTTP.
- * -- Martin Sj<53>gren <md9ms@mdstud.chalmers.se>
- */
- if ((sptr = strchr(url, ' ')) == NULL) {
- strncpy (purl, url, 1023);
- purl[1023] = '\0';
- }
- else {
- int purllength = 0;
- char *urlptr = url;
- purl[0] = '\0';
- do {
- purllength += sptr-urlptr + 3;
- if (purllength >= 1023)
- break;
- strncat (purl, urlptr, sptr-urlptr);
- //purl[sptr-url] = '\0';
- strcat (purl, "%20");
- urlptr = sptr + 1;
- }
- while ((sptr = strchr (urlptr, ' ')) != NULL);
- strcat (purl, urlptr);
- }
+ /*
+ * 2000-10-21:
+ * We would like spaces to be automatically converted to %20's when
+ * fetching via HTTP.
+ * -- Martin Sj<53>gren <md9ms@mdstud.chalmers.se>
+ */
+ if ((sptr = strchr(url, ' ')) == NULL) {
+ strcpy (purl, url);
+ } else {
+ char *urlptr = url;
+ purl[0] = '\0';
+ do {
+ strncat (purl, urlptr, sptr - urlptr);
+ strcat (purl, "%20");
+ urlptr = sptr + 1;
+ }
+ while ((sptr = strchr (urlptr, ' ')) != NULL);
+ strcat (purl, urlptr);
+ }
+
+ httpauth1 = (char *)malloc((strlen(purl) + 1) * sizeof(char));
+ if(!httpauth1) {
+ fprintf(stderr, "malloc() failed, out of memory.\n");
+ exit(1);
+ }
+ getauthfromURL(purl,httpauth1);
+
+ /* "GET http://" + 11
+ * " HTTP/1.0\r\nUser-Agent: <prgName>/<prgVersion>\r\n" 26 + prgName + prgVersion
+ * ACCEPT_HEAD strlen(ACCEPT_HEAD)
+ * "Authorization: Basic \r\n" 23
+ * "\r\n" 2
+ */
+ linelengthbase = 62 + strlen(prgName) + strlen(prgVersion) + strlen(ACCEPT_HEAD);
+
+ if(httpauth)
+ linelengthbase += (strlen(httpauth) + 1) * 4;
- getauthfromURL(purl,httpauth1);
+ if(httpauth1)
+ linelengthbase += (strlen(httpauth1) + 1) * 4;
do {
- strcpy (request, "GET ");
if (proxyip != INADDR_NONE) {
- if (strncasecmp(url, "http://", 7) != 0 && strncasecmp(url,"ftp://", 6) != 0)
- strcat (request, "http://");
- strcat (request, purl);
myport = proxyport;
myip = proxyip;
- }
- else {
+
+ linelength = linelengthbase + strlen(purl);
+ if(host)
+ linelength += 9 + strlen(host) + strlen(myport); /* "Host: <host>:<port>\r\n" */
+
+ request = (char *)malloc((linelength + 1) * sizeof(char));
+ if (!request) {
+ fprintf (stderr, "malloc() failed, out of memory.\n");
+ exit (1);
+ }
+
+ strcpy (request, "GET ");
+ if (strncasecmp(url, "http://", 7) != 0 && strncasecmp(url,"ftp://", 6) != 0)
+ strcat (request, "http://");
+ strcat (request, purl);
+ } else {
if (host) {
free(host);
host=NULL;
@@ -325,19 +357,30 @@ int http_open (char *url)
free(proxyport);
proxyport=NULL;
}
- if (!(sptr = url2hostport(purl, &host, &myip, &myport))) {
- fprintf (stderr, "Unknown host \"%s\".\n",
- host ? host : "");
+
+ sptr = url2hostport(purl, &host, &myip, &myport);
+ if (!sptr) {
+ fprintf (stderr, "Unknown host \"%s\".\n", host ? host : "");
+ exit (1);
+ }
+
+ linelength = linelengthbase + strlen(sptr);
+ if(host)
+ linelength += 9 + strlen(host) + strlen(myport); /* "Host: <host>:<port>\r\n" */
+
+ request = (char *)malloc((linelength + 1) * sizeof(char));
+ if (!request) {
+ fprintf (stderr, "malloc() failed, out of memory.\n");
exit (1);
}
+
+ strcpy (request, "GET ");
strcat (request, sptr);
}
- sprintf (request + strlen(request),
- " HTTP/1.0\r\nUser-Agent: %s/%s\r\n",
- prgName, prgVersion);
+
+ sprintf (request + strlen(request), " HTTP/1.0\r\nUser-Agent: %s/%s\r\n", prgName, prgVersion);
if (host) {
- sprintf(request + strlen(request),
- "Host: %s:%s\r\n", host, myport);
+ sprintf(request + strlen(request), "Host: %s:%s\r\n", host, myport);
#if 0
free (host);
#endif
@@ -394,15 +437,29 @@ fail:
exit(1);
}
- if (strlen(httpauth1) || httpauth) {
- char buf[1023];
+ if (httpauth1 || httpauth) {
+ char *buf;
strcat (request,"Authorization: Basic ");
- if(strlen(httpauth1))
- encode64(httpauth1,buf);
- else
- encode64(httpauth,buf);
- strcat (request,buf);
+ if(httpauth1) {
+ buf=(char *)malloc((strlen(httpauth1) + 1) * 4 * sizeof(char));
+ if(!buf) {
+ fprintf(stderr, "Error allocating sufficient memory for http authentication. Exiting.");
+ exit(1);
+ }
+ encode64(httpauth1,buf);
+ free(httpauth1);
+ } else {
+ buf=(char *)malloc((strlen(httpauth) + 1) * 4 * sizeof(char));
+ if(!buf) {
+ fprintf(stderr, "Error allocating sufficient memory for http authentication. Exiting.");
+ exit(1);
+ }
+ encode64(httpauth,buf);
+ }
+
+ strcat (request, buf);
strcat (request,"\r\n");
+ free(buf);
}
strcat (request, "\r\n");
@@ -428,16 +485,19 @@ fail:
}
do {
readstring (request, linelength-1, myfile);
- if (!strncmp(request, "Location:", 9))
- strncpy (purl, request+10, 1023);
+ if (!strncmp(request, "Location:", 9)) {
+ strncpy (purl, request+10, purl_length);
+ purl[purl_length - 1] = 0;
+ }
} while (request[0] != '\r' && request[0] != '\n');
+
+ free(request);
} while (relocate && purl[0] && numrelocs++ < 5);
if (relocate) {
fprintf (stderr, "Too many HTTP relocations.\n");
exit (1);
}
- free (purl);
- free (request);
+ free(purl);
free(host);
free(proxyport);
free(myport);
### CAN-2004-0991
diff -Naurp mpg123-0.59s.vanilla/layer2.c mpg123/layer2.c
--- mpg123-0.59s.vanilla/layer2.c 2004-12-18 17:53:59.256803488 -0800
+++ mpg123/layer2.c 2005-01-06 01:28:56.389304770 -0800
@@ -262,7 +262,7 @@ static void II_select_table(struct frame
{ alloc_0, alloc_1, alloc_2, alloc_3 , alloc_4 };
static int sblims[5] = { 27 , 30 , 8, 12 , 30 };
- if(fr->lsf)
+ if(fr->sampling_frequency >= 3) /* Or equivalent: (fr->lsf == 1) */
table = 4;
else
table = translate[fr->sampling_frequency][2-fr->stereo][fr->bitrate_index];
### CAN-2004-1284
diff -Naur mpg123-0.59s.vanilla/playlist.c mpg123/playlist.c
--- mpg123-0.59s.vanilla/playlist.c 2000-10-25 04:05:26.000000000 -0700
+++ mpg123/playlist.c 2004-12-18 17:53:34.337908223 -0800
@@ -110,9 +110,9 @@
if ((playlist->listnamedir) && (line[0]!='/') && (line[0]!='\\')
&& (strncasecmp(line, "http://", 7)) && (strncasecmp(line,
"ftp://",6)) ){
- strcpy (linetmp, playlist->listnamedir);
- strcat (linetmp, line);
- strcpy (line, linetmp);
+ strncpy (linetmp, playlist->listnamedir, 1023);
+ strncat (linetmp, line, 1023 - strlen(linetmp));
+ strncpy (line, linetmp, 1023);
}
return 1;
}
Reference in New Issue View Git Blame Copy Permalink