130573 – [patch] [vuxml] multimedia/mplayer: fix and document CVE-2008-3162

There is CVE-2008-3162 [1] and FreeBSD port is still based on the
1.0rc2 sources that aren't received this fix. The fix is in the
Subversion repository for MPlayer, [2].

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3162
[2] http://svn.mplayerhq.hu/ffmpeg?view=rev&revision=13993

Fix: The following patch fixes the issue. It uses plain upstream patch: I
had verified that the port builds and works for mpeg/avi files. I don't
have any STR files at hand, so I am not able to test them, sorry.



The following VuXML entry should be evaluated and added:
 <vuln vid="f4ac906b-e2d8-11dd-8bb6-0022156e8794">
 <topic>mplayer -- vulnerability in STR files processor</topic>
 <affects>
 <package>
 <name>mplayer</name>
 <range><lt>0.99.11_10</lt></range>
 </package>
 </affects>
 <description>
 <body xmlns="http://www.w3.org/1999/xhtml">
 Secunia reports:
 <blockquote
 cite="http://secunia.com/advisories/30994">
 A vulnerability has been reported in FFmpeg, which
 potentially can be exploited by malicious people to compromise
 a user's system.
 The vulnerability is caused due to a boundary error within
 the "str_read_packet()" function in libavformat/psxstr.c. This
 can be exploited to cause a heap-based buffer overflow via a
 specially crafted STR file.
 </blockquote>
 </body>
 </description>
 <references>
 <cvename>CVE-2008-3162</cvename>
 <bid>30157</bid>
 <url>http://secunia.com/advisories/30994</url>
 </references>
 <dates>
 <discovery>2008-07-14</discovery>
 <entry>TODAY</entry>
 </dates>
 </vuln>
--- vuln.xml ends here -----NH6CFEoluXDdwTtSFdGwf9RSyZaeB1LicN1rPeBmyO80Ioed
Content-Type: text/plain; name="fix-CVE-2008-3162.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="fix-CVE-2008-3162.diff"

From 33b39401242cd68fed36fcf3a88b8d41f42fb4cd Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Thu, 15 Jan 2009 11:02:47 +0300

See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3162
See also: https://roundup.mplayerhq.hu/roundup/ffmpeg/issue311
See also: http://secunia.com/advisories/30994

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 multimedia/mplayer/Makefile | 2 +-
 multimedia/mplayer/files/patch-CVE-2008-3162 | 56 ++++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 1 deletions(-)
 create mode 100644 multimedia/mplayer/files/patch-CVE-2008-3162

diff --git a/multimedia/mplayer/Makefile b/multimedia/mplayer/Makefile
index 0f79b24..5d153ba 100644
--- a/multimedia/mplayer/Makefile
+++ b/multimedia/mplayer/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	mplayer
 PORTVERSION=	${MPLAYER_PORT_VERSION}
-PORTREVISION=	9
+PORTREVISION=	10
 
 COMMENT=	High performance media player supporting many formats
 
diff --git a/multimedia/mplayer/files/patch-CVE-2008-3162 b/multimedia/mplayer/files/patch-CVE-2008-3162
new file mode 100644
index 0000000..bc66a3a
--- /dev/null
+++ b/multimedia/mplayer/files/patch-CVE-2008-3162
@@ -0,0 +1,56 @@
+Obtained from upstream: http://svn.mplayerhq.hu/ffmpeg/trunk/libavformat/psxstr.c?view=patch&r1=13993&r2=13992&pathrev=13993
+See also: http://svn.mplayerhq.hu/ffmpeg?diff_format=h&view=rev&revision=13993
+See also: https://roundup.mplayerhq.hu/roundup/ffmpeg/issue311
+
+--- libavformat/psxstr.c	2008/06/26 20:50:15	13992
++++ libavformat/psxstr.c	2008/06/26 22:22:10	13993
+@@ -274,12 +274,23 @@
+                 int current_sector = AV_RL16(&sector[0x1C]);
+                 int sector_count   = AV_RL16(&sector[0x1E]);
+                 int frame_size = AV_RL32(&sector[0x24]);
+-                int bytes_to_copy;
++
++                if(!(   frame_size>=0
++                     && current_sector < sector_count
++                     && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){
++                    av_log(s, AV_LOG_ERROR, "Invalid parameters %d %d %d\n", current_sector, sector_count, frame_size);
++                    return AVERROR_INVALIDDATA;
++                }
++
+ //        printf("%d %d %d\n",current_sector,sector_count,frame_size);
+                 /* if this is the first sector of the frame, allocate a pkt */
+                 pkt = &str->tmp_pkt;
+-                if (current_sector == 0) {
+-                    if (av_new_packet(pkt, frame_size))
++
++                if(pkt->size != sector_count*VIDEO_DATA_CHUNK_SIZE){
++                    if(pkt->data)
++                        av_log(s, AV_LOG_ERROR, "missmatching sector_count\n");
++                    av_free_packet(pkt);
++                    if (av_new_packet(pkt, sector_count*VIDEO_DATA_CHUNK_SIZE))
+                         return AVERROR(EIO);
+ 
+                     pkt->pos= url_ftell(pb) - RAW_CD_SECTOR_SIZE;
+@@ -293,15 +304,15 @@
+                        str->pts += (90000 / 15);
+                 }
+ 
+-                /* load all the constituent chunks in the video packet */
+-                bytes_to_copy = frame_size - current_sector*VIDEO_DATA_CHUNK_SIZE;
+-                if (bytes_to_copy>0) {
+-                    if (bytes_to_copy>VIDEO_DATA_CHUNK_SIZE) bytes_to_copy=VIDEO_DATA_CHUNK_SIZE;
+-                    memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE,
+-                        sector + VIDEO_DATA_HEADER_SIZE, bytes_to_copy);
+-                }
++                memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE,
++                       sector + VIDEO_DATA_HEADER_SIZE,
++                       VIDEO_DATA_CHUNK_SIZE);
++
+                 if (current_sector == sector_count-1) {
++                    pkt->size= frame_size;
+                     *ret_pkt = *pkt;
++                    pkt->data= NULL;
++                    pkt->size= -1;
+                     return 0;
+                 }
+ 
-- 
1.6.0.6
How-To-Repeat: 
Look at above URLs and to the current MPlayer port sources after 'make
patch'.