[arch-commits] Commit in mplayer/trunk (PKGBUILD subreader-fix-srt-parsing.patch)

Evangelos Foutras foutrelis at nymeria.archlinux.org
Tue May 14 23:48:32 UTC 2013 

    Date: Wednesday, May 15, 2013 @ 01:48:31
  Author: foutrelis
Revision: 185551

upgpkg: mplayer 35920-3

Fix out of bound write access when parsing .srt.

Added:
  mplayer/trunk/subreader-fix-srt-parsing.patch
Modified:
  mplayer/trunk/PKGBUILD

---------------------------------+
 PKGBUILD                        |   17 ++++++++--
 subreader-fix-srt-parsing.patch |   60 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 73 insertions(+), 4 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2013-05-14 23:25:14 UTC (rev 185550)
+++ PKGBUILD	2013-05-14 23:48:31 UTC (rev 185551)
@@ -5,7 +5,7 @@
 pkgbase=mplayer
 pkgname=('mplayer' 'mencoder')
 pkgver=35920
-pkgrel=2
+pkgrel=3
 arch=('i686' 'x86_64')
 makedepends=('libxxf86dga' 'libxxf86vm' 'libmad' 'libxinerama' 'sdl' 'lame' 'libtheora' 'xvidcore' 'libmng' 'libxss' 'libgl' 'smbclient'
 'aalib' 'jack' 'libcaca' 'x264' 'faac' 'faad2' 'lirc-utils'  'libxvmc' 'enca' 'libvdpau' 'opencore-amr' 'libdca' 'a52dec' 'schroedinger' 'libvpx'
@@ -13,15 +13,24 @@
 license=('GPL')
 url="http://www.mplayerhq.hu/"
 options=(!buildflags !emptydirs)
-source=(ftp://ftp.archlinux.org/other/packages/$pkgbase/$pkgbase-$pkgver.tar.xz mplayer.desktop cdio-includes.patch)
+source=(ftp://ftp.archlinux.org/other/packages/$pkgbase/$pkgbase-$pkgver.tar.xz mplayer.desktop cdio-includes.patch subreader-fix-srt-parsing.patch)
 md5sums=('5f96e829d711e7d1ea65e324710dca50'
          'c0d6ef795cf6de48e3b87ff7c23f0319'
-         '7b5be7191aafbea64218dc4916343bbc')
+         '7b5be7191aafbea64218dc4916343bbc'
+         '7cb6019018a95dcc3d1231e1aaa8bbdb')
 
-build() {
+prepare() {
     cd "$srcdir/$pkgbase"
+
     patch -Np0 -i ../cdio-includes.patch
 
+    # http://bugzilla.mplayerhq.hu/show_bug.cgi?id=2139
+    patch -Np1 -i ../subreader-fix-srt-parsing.patch
+}
+
+build() {
+    cd "$srcdir/$pkgbase"
+
     ./configure --prefix=/usr \
         --enable-runtime-cpudetection \
         --disable-gui \

Added: subreader-fix-srt-parsing.patch
===================================================================
--- subreader-fix-srt-parsing.patch	                        (rev 0)
+++ subreader-fix-srt-parsing.patch	2013-05-14 23:48:31 UTC (rev 185551)
@@ -0,0 +1,60 @@
+From d98e61ea438db66323734ad1b6bea66411a3c97b Mon Sep 17 00:00:00 2001
+From: wm4 <wm4 at nowhere>
+Date: Tue, 30 Apr 2013 00:09:31 +0200
+Subject: [PATCH] subreader: fix out of bound write access when parsing .srt
+
+This broke .srt subtitles on gcc-4.8. The breakage was relatively
+subtle: it set all hour components to 0, while everything else was
+parsed successfully.
+
+But the problem is really that sscanf wrote 1 byte past the sep
+variable (or more, for invalid/specially prepared input). The %[..]
+format specifier is unbounded. Fix that by letting sscanf drop the
+parsed contents with "*", and also make it skip only one input
+character by adding "1" (=> "%*1[...").
+
+The out of bound write could easily lead to security issues.
+
+Also, this change makes .srt subtitle parsing slightly more strict.
+Strictly speaking this is an unrelated change, but do it anyway. It's
+more correct.
+---
+ sub/subreader.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+ (foutrelis: adjusted variable names in first hunk to apply to mplayer)
+
+diff --git a/sub/subreader.c b/sub/subreader.c
+index 23da4c7..0f1b6c9 100644
+--- a/sub/subreader.c
++++ b/sub/subreader.c
+@@ -386,14 +386,14 @@ static subtitle *sub_ass_read_line_subviewer(stream_t *st, subtitle *current,
+     int h1, m1, s1, ms1, h2, m2, s2, ms2, j = 0;
+ 
+     while (!current->text[0]) {
+-        char line[LINE_LEN + 1], full_line[LINE_LEN + 1], sep;
++        char line[LINE_LEN + 1], full_line[LINE_LEN + 1];
+         int i;
+ 
+         /* Parse SubRip header */
+         if (!stream_read_line(st, line, LINE_LEN, utf16))
+             return NULL;
+-        if (sscanf(line, "%d:%d:%d%[,.:]%d --> %d:%d:%d%[,.:]%d",
+-                     &h1, &m1, &s1, &sep, &ms1, &h2, &m2, &s2, &sep, &ms2) < 10)
++        if (sscanf(line, "%d:%d:%d%*1[,.:]%d --> %d:%d:%d%*1[,.:]%d",
++                     &h1, &m1, &s1, &ms1, &h2, &m2, &s2, &ms2) < 8)
+             continue;
+ 
+         current->start = a1 * 360000 + a2 * 6000 + a3 * 100 + a4 / 10;
+@@ -450,7 +450,7 @@ static subtitle *sub_read_line_subviewer(stream_t *st,subtitle *current,
+         return sub_ass_read_line_subviewer(st, current, args);
+     while (!current->text[0]) {
+ 	if (!stream_read_line (st, line, LINE_LEN, utf16)) return NULL;
+-	if ((len=sscanf (line, "%d:%d:%d%[,.:]%d --> %d:%d:%d%[,.:]%d",&a1,&a2,&a3,(char *)&i,&a4,&b1,&b2,&b3,(char *)&i,&b4)) < 10)
++	if ((len=sscanf (line, "%d:%d:%d%*1[,.:]%d --> %d:%d:%d%*1[,.:]%d",&a1,&a2,&a3,&a4,&b1,&b2,&b3,&b4)) < 8)
+ 	    continue;
+ 	current->start = a1*360000+a2*6000+a3*100+a4/10;
+ 	current->end   = b1*360000+b2*6000+b3*100+b4/10;
+-- 
+1.8.1.6
+

More information about the arch-commits mailing list