[gentoo-commits] gentoo-x86 commit in media-libs/libmikmod/files: libmikmod-3.2.0_beta2-CVE-2009-3995-3996.patch libmikmod-3.2.0_beta2-fix-unload-crash.patch libmikmod-3.2.0_beta2-fix-vol-crash.patch libmikmod-3.2.0_beta2-CVE-2010-2546-2971.patch libmikmod-3.2.0_beta2-pa-workaround.patch - gentoo-commits

From:	"Sergei Trofimovich (slyfox)" <slyfox@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in media-libs/libmikmod/files: libmikmod-3.2.0_beta2-CVE-2009-3995-3996.patch libmikmod-3.2.0_beta2-fix-unload-crash.patch libmikmod-3.2.0_beta2-fix-vol-crash.patch libmikmod-3.2.0_beta2-CVE-2010-2546-2971.patch libmikmod-3.2.0_beta2-pa-workaround.patch
Date:	Mon, 06 Feb 2012 21:46:46
Message-Id:	`20120206214632.461EB2004B@flycatcher.gentoo.org`

1

slyfox      12/02/06 21:46:32

2

3

  Added:                libmikmod-3.2.0_beta2-CVE-2009-3995-3996.patch

4

                        libmikmod-3.2.0_beta2-fix-unload-crash.patch

5

                        libmikmod-3.2.0_beta2-fix-vol-crash.patch

6

                        libmikmod-3.2.0_beta2-CVE-2010-2546-2971.patch

7

                        libmikmod-3.2.0_beta2-pa-workaround.patch

8

  Log:

9

  Fixed sdl-mixer crash (bug #300525 reported by A.C.Heron and fixed by pva).

10

  Fixed CVE-2009-3995, CVE-2009-3996 CVE-2010-2546 CVE-2010-2971 (security

11

  bug #335892 by Stefan Behte fixes are pulled from upstream, redhat and suse).

12

  Added workaround to avoid crash when libmikmod ran under padsp pulseaudio wrapper.

13

14

  (Portage version: 2.2.0_alpha85/cvs/Linux x86_64)

15

16

Revision  Changes    Path

17

1.1                  media-libs/libmikmod/files/libmikmod-3.2.0_beta2-CVE-2009-3995-3996.patch

18

19

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/libmikmod/files/libmikmod-3.2.0_beta2-CVE-2009-3995-3996.patch?rev=1.1&view=markup

20

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/libmikmod/files/libmikmod-3.2.0_beta2-CVE-2009-3995-3996.patch?rev=1.1&content-type=text/plain

21

22

Index: libmikmod-3.2.0_beta2-CVE-2009-3995-3996.patch

23

===================================================================

24

#! /bin/sh /usr/share/dpatch/dpatch-run

25

## CVE-2009-3995f.dpatch by  <aw@×××××.de>

26

##

27

## All lines beginning with `## DP:' are a description of the patch.

28

## DP: Patch for CVE-2009-3995 and CVE-2009-3996

29

30

@DPATCH@

31

32

diff -Ndurp libmikmod-3.1.11/loaders/load_it.c libmikmod-3.1.11-fixed/loaders/load_it.c

33

--- libmikmod-3.1.11/loaders/load_it.c	2010-05-31 14:10:34.000000000 +0200

34

+++ libmikmod-3.1.11-fixed/loaders/load_it.c	2010-05-31 14:10:10.000000000 +0200

35

@@ -862,6 +862,10 @@ BOOL IT_Load(BOOL curious)

36

 #endif

37

38

 				IT_ProcessEnvelope(vol);

39

+				/* fix for CVE-2009-3995 - snatched from SuSe's fix -- AW */

40

+				if (ih.volpts>= ENVPOINTS)

41

+					ih.volpts = ENVPOINTS-1;

42

+

43

 				for(u=0;u<ih.volpts;u++)

44

 					d->volenv[u].val=(ih.volnode[u]<<2);

45

46

diff -Ndurp libmikmod-3.1.11/loaders/load_ult.c libmikmod-3.1.11-fixed/loaders/load_ult.c

47

--- libmikmod-3.1.11/loaders/load_ult.c	2010-05-31 14:10:34.000000000 +0200

48

+++ libmikmod-3.1.11-fixed/loaders/load_ult.c	2010-05-31 14:10:10.000000000 +0200

49

@@ -224,6 +224,9 @@ BOOL ULT_Load(BOOL curious)

50

 	for(u=0;u<of.numchn;u++)

51

 		for(t=0;t<of.numpat;t++)

52

 			of.patterns[(t*of.numchn)+u]=tracks++;

53

+	/* fix for CVE-2009-3996 - snatched from SuSe's fix -- AW */

54

+    if (of.numchn>=UF_MAXCHAN)

55

+		of.numchn=UF_MAXCHAN - 1;

56

57

 	/* read pan position table for v1.5 and higher */

58

 	if(mh.id[14]>='3') {

1.1                  media-libs/libmikmod/files/libmikmod-3.2.0_beta2-fix-unload-crash.patch

63

64

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/libmikmod/files/libmikmod-3.2.0_beta2-fix-unload-crash.patch?rev=1.1&view=markup

65

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/libmikmod/files/libmikmod-3.2.0_beta2-fix-unload-crash.patch?rev=1.1&content-type=text/plain

66

67

Index: libmikmod-3.2.0_beta2-fix-unload-crash.patch

68

===================================================================

69

Date: 15 Apr 2002 11:01:19 +0200

70

From: Guillaume Cottenceau <gc@××××××××××××.com>

71

72

Unfortunately, I should have double checked that the following

73

fix (authored by Dave Goehrig <dave@××××××××××××××.org>, not me),

74

was really in the CVS... it's not, as of stable 1.2.3 at least.

75

Please include it, it fixes a segfault on exiting a program which

76

disabled MOD music during its execution.

77

78

Gentoo-bug: http://bugs.gentoo.org/300525

79

diff -ru libmikmod-3.1.12.orig/playercode/virtch_common.c libmikmod-3.1.12/playercode/virtch_common.c

80

--- libmikmod-3.1.12.orig/playercode/virtch_common.c	2007-12-15 01:26:53.000000000 -0800

81

+++ libmikmod-3.1.12/playercode/virtch_common.c	2009-10-05 00:37:12.000000000 -0700

82

@@ -347,7 +347,7 @@

83

84

 void VC1_SampleUnload(SWORD handle)

85

{

86

-	if (handle<MAXSAMPLEHANDLES) {

87

+	if (Samples && handle<MAXSAMPLEHANDLES) {

88

 		if (Samples[handle])

89

 			free(Samples[handle]);

90

 		Samples[handle]=NULL;

1.1                  media-libs/libmikmod/files/libmikmod-3.2.0_beta2-fix-vol-crash.patch

95

96

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/libmikmod/files/libmikmod-3.2.0_beta2-fix-vol-crash.patch?rev=1.1&view=markup

97

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/libmikmod/files/libmikmod-3.2.0_beta2-fix-vol-crash.patch?rev=1.1&content-type=text/plain

98

99

Index: libmikmod-3.2.0_beta2-fix-vol-crash.patch

100

===================================================================

101

Yi-Huang Han - Wed Oct 24 21:55:47 PDT 2001

102

 * Fixed MOD music volume when looping

103

104

Gentoo-bug: http://bugs.gentoo.org/300525

105

diff -ru libmikmod-3.1.12.orig/playercode/mplayer.c libmikmod-3.1.12/playercode/mplayer.c

106

--- libmikmod-3.1.12.orig/playercode/mplayer.c	2009-10-05 00:19:59.000000000 -0700

107

+++ libmikmod-3.1.12/playercode/mplayer.c	2009-10-05 00:44:35.000000000 -0700

108

@@ -3019,7 +3019,7 @@

109

{

110

 	MUTEX_LOCK(vars);

111

 	if (pf)

112

-		pf->volume=(volume<0)?0:(volume>128)?128:volume;

113

+		pf->volume=pf->initvolume=(volume<0)?0:(volume>128)?128:volume;

114

 	MUTEX_UNLOCK(vars);

115

}

1.1                  media-libs/libmikmod/files/libmikmod-3.2.0_beta2-CVE-2010-2546-2971.patch

121

122

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/libmikmod/files/libmikmod-3.2.0_beta2-CVE-2010-2546-2971.patch?rev=1.1&view=markup

123

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/libmikmod/files/libmikmod-3.2.0_beta2-CVE-2010-2546-2971.patch?rev=1.1&content-type=text/plain

124

125

Index: libmikmod-3.2.0_beta2-CVE-2010-2546-2971.patch

126

===================================================================

127

Related: https://bugzilla.redhat.com/show_bug.cgi?id=614643#c6

128

Gentoo-bug: http://bugs.gentoo.org/335892

129

--- loaders/load_it.c.orig	2010-07-22 16:02:16.000000000 +0200

130

+++ loaders/load_it.c	2010-07-22 16:07:48.000000000 +0200

131

@@ -743,6 +743,8 @@ BOOL IT_Load(BOOL curious)

132

 #define IT_LoadEnvelope(name,type) 										\

133

 				ih. name##flg   =_mm_read_UBYTE(modreader);				\

134

 				ih. name##pts   =_mm_read_UBYTE(modreader);				\

135

+				if (ih. name##pts > ITENVCNT)							\

136

+					ih. name##pts = ITENVCNT;							\

137

 				ih. name##beg   =_mm_read_UBYTE(modreader);				\

138

 				ih. name##end   =_mm_read_UBYTE(modreader);				\

139

 				ih. name##susbeg=_mm_read_UBYTE(modreader);				\

140

@@ -756,6 +758,8 @@ BOOL IT_Load(BOOL curious)

141

 #define IT_LoadEnvelope(name,type) 										\

142

 				ih. name/**/flg   =_mm_read_UBYTE(modreader);			\

143

 				ih. name/**/pts   =_mm_read_UBYTE(modreader);			\

144

+				if (ih. name/**/pts > ITENVCNT)							\

145

+					ih. name/**/pts = ITENVCNT;							\

146

 				ih. name/**/beg   =_mm_read_UBYTE(modreader);			\

147

 				ih. name/**/end   =_mm_read_UBYTE(modreader);			\

148

 				ih. name/**/susbeg=_mm_read_UBYTE(modreader);			\

149

@@ -862,10 +866,6 @@ BOOL IT_Load(BOOL curious)

150

 #endif

151

152

 				IT_ProcessEnvelope(vol);

153

-				/* fix for CVE-2009-3995 - snatched from SuSe's fix -- AW */

154

-				if (ih.volpts>= ENVPOINTS)

155

-					ih.volpts = ENVPOINTS-1;

156

-

157

 				for(u=0;u<ih.volpts;u++)

158

 					d->volenv[u].val=(ih.volnode[u]<<2);

1.1                  media-libs/libmikmod/files/libmikmod-3.2.0_beta2-pa-workaround.patch

164

165

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/libmikmod/files/libmikmod-3.2.0_beta2-pa-workaround.patch?rev=1.1&view=markup

166

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/libmikmod/files/libmikmod-3.2.0_beta2-pa-workaround.patch?rev=1.1&content-type=text/plain

167

168

Index: libmikmod-3.2.0_beta2-pa-workaround.patch

169

===================================================================

170

Under padsp wrapper mikmod returns

171

    buffinf.fragments = -1; buffinf.bytes = -65535.

172

Buggy oss emulation layer in pulseaudio.

173

More details in upstream report:

174

175

Gentoo-bug: http://bugs.gentoo.org/300525

176

Upstream-bug: https://bugs.freedesktop.org/show_bug.cgi?id=45643

177

diff --git a/drivers/drv_oss.c b/drivers/drv_oss.c

178

index 27766f2..74864c2 100644

179

--- a/drivers/drv_oss.c

180

+++ b/drivers/drv_oss.c

181

@@ -327,7 +327,7 @@ static void OSS_Update(void)

182

 			buffinf.fragments--;

183

 			buffinf.fragsize = buffinf.bytes = buffersize;

184

}

185

-		if(!buffinf.fragments)

186

+		if(buffinf.fragments < 1)

187

 			break;

188

 		done=VC_WriteBytes(audiobuffer,buffinf.fragsize>buffinf.bytes?

189

 						   buffinf.bytes:buffinf.fragsize);

1	slyfox 12/02/06 21:46:32
2
3	Added: libmikmod-3.2.0_beta2-CVE-2009-3995-3996.patch
4	libmikmod-3.2.0_beta2-fix-unload-crash.patch
5	libmikmod-3.2.0_beta2-fix-vol-crash.patch
6	libmikmod-3.2.0_beta2-CVE-2010-2546-2971.patch
7	libmikmod-3.2.0_beta2-pa-workaround.patch
8	Log:
9	Fixed sdl-mixer crash (bug #300525 reported by A.C.Heron and fixed by pva).
10	Fixed CVE-2009-3995, CVE-2009-3996 CVE-2010-2546 CVE-2010-2971 (security
11	bug #335892 by Stefan Behte fixes are pulled from upstream, redhat and suse).
12	Added workaround to avoid crash when libmikmod ran under padsp pulseaudio wrapper.
13
14	(Portage version: 2.2.0_alpha85/cvs/Linux x86_64)
15
16	Revision Changes Path
17	1.1 media-libs/libmikmod/files/libmikmod-3.2.0_beta2-CVE-2009-3995-3996.patch
18
19	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/libmikmod/files/libmikmod-3.2.0_beta2-CVE-2009-3995-3996.patch?rev=1.1&view=markup
20	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/libmikmod/files/libmikmod-3.2.0_beta2-CVE-2009-3995-3996.patch?rev=1.1&content-type=text/plain
21
22	Index: libmikmod-3.2.0_beta2-CVE-2009-3995-3996.patch
23	===================================================================
24	#! /bin/sh /usr/share/dpatch/dpatch-run
25	## CVE-2009-3995f.dpatch by <aw@×××××.de>
26	##
27	## All lines beginning with `## DP:' are a description of the patch.
28	## DP: Patch for CVE-2009-3995 and CVE-2009-3996
29
30	@DPATCH@
31
32	diff -Ndurp libmikmod-3.1.11/loaders/load_it.c libmikmod-3.1.11-fixed/loaders/load_it.c
33	--- libmikmod-3.1.11/loaders/load_it.c 2010-05-31 14:10:34.000000000 +0200
34	+++ libmikmod-3.1.11-fixed/loaders/load_it.c 2010-05-31 14:10:10.000000000 +0200
35	@@ -862,6 +862,10 @@ BOOL IT_Load(BOOL curious)
36	#endif
37
38	IT_ProcessEnvelope(vol);
39	+ /* fix for CVE-2009-3995 - snatched from SuSe's fix -- AW */
40	+ if (ih.volpts>= ENVPOINTS)
41	+ ih.volpts = ENVPOINTS-1;
42	+
43	for(u=0;u<ih.volpts;u++)
44	d->volenv[u].val=(ih.volnode[u]<<2);
45
46	diff -Ndurp libmikmod-3.1.11/loaders/load_ult.c libmikmod-3.1.11-fixed/loaders/load_ult.c
47	--- libmikmod-3.1.11/loaders/load_ult.c 2010-05-31 14:10:34.000000000 +0200
48	+++ libmikmod-3.1.11-fixed/loaders/load_ult.c 2010-05-31 14:10:10.000000000 +0200
49	@@ -224,6 +224,9 @@ BOOL ULT_Load(BOOL curious)
50	for(u=0;u<of.numchn;u++)
51	for(t=0;t<of.numpat;t++)
52	of.patterns[(t*of.numchn)+u]=tracks++;
53	+ /* fix for CVE-2009-3996 - snatched from SuSe's fix -- AW */
54	+ if (of.numchn>=UF_MAXCHAN)
55	+ of.numchn=UF_MAXCHAN - 1;
56
57	/* read pan position table for v1.5 and higher */
58	if(mh.id[14]>='3') {
59
60
61
62	1.1 media-libs/libmikmod/files/libmikmod-3.2.0_beta2-fix-unload-crash.patch
63
64	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/libmikmod/files/libmikmod-3.2.0_beta2-fix-unload-crash.patch?rev=1.1&view=markup
65	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/libmikmod/files/libmikmod-3.2.0_beta2-fix-unload-crash.patch?rev=1.1&content-type=text/plain
66
67	Index: libmikmod-3.2.0_beta2-fix-unload-crash.patch
68	===================================================================
69	Date: 15 Apr 2002 11:01:19 +0200
70	From: Guillaume Cottenceau <gc@××××××××××××.com>
71
72	Unfortunately, I should have double checked that the following
73	fix (authored by Dave Goehrig <dave@××××××××××××××.org>, not me),
74	was really in the CVS... it's not, as of stable 1.2.3 at least.
75	Please include it, it fixes a segfault on exiting a program which
76	disabled MOD music during its execution.
77
78	Gentoo-bug: http://bugs.gentoo.org/300525
79	diff -ru libmikmod-3.1.12.orig/playercode/virtch_common.c libmikmod-3.1.12/playercode/virtch_common.c
80	--- libmikmod-3.1.12.orig/playercode/virtch_common.c 2007-12-15 01:26:53.000000000 -0800
81	+++ libmikmod-3.1.12/playercode/virtch_common.c 2009-10-05 00:37:12.000000000 -0700
82	@@ -347,7 +347,7 @@
83
84	void VC1_SampleUnload(SWORD handle)
85	{
86	- if (handle<MAXSAMPLEHANDLES) {
87	+ if (Samples && handle<MAXSAMPLEHANDLES) {
88	if (Samples[handle])
89	free(Samples[handle]);
90	Samples[handle]=NULL;
91
92
93
94	1.1 media-libs/libmikmod/files/libmikmod-3.2.0_beta2-fix-vol-crash.patch
95
96	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/libmikmod/files/libmikmod-3.2.0_beta2-fix-vol-crash.patch?rev=1.1&view=markup
97	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/libmikmod/files/libmikmod-3.2.0_beta2-fix-vol-crash.patch?rev=1.1&content-type=text/plain
98
99	Index: libmikmod-3.2.0_beta2-fix-vol-crash.patch
100	===================================================================
101	Yi-Huang Han - Wed Oct 24 21:55:47 PDT 2001
102	* Fixed MOD music volume when looping
103
104	Gentoo-bug: http://bugs.gentoo.org/300525
105	diff -ru libmikmod-3.1.12.orig/playercode/mplayer.c libmikmod-3.1.12/playercode/mplayer.c
106	--- libmikmod-3.1.12.orig/playercode/mplayer.c 2009-10-05 00:19:59.000000000 -0700
107	+++ libmikmod-3.1.12/playercode/mplayer.c 2009-10-05 00:44:35.000000000 -0700
108	@@ -3019,7 +3019,7 @@
109	{
110	MUTEX_LOCK(vars);
111	if (pf)
112	- pf->volume=(volume<0)?0:(volume>128)?128:volume;
113	+ pf->volume=pf->initvolume=(volume<0)?0:(volume>128)?128:volume;
114	MUTEX_UNLOCK(vars);
115	}
116
117
118
119
120	1.1 media-libs/libmikmod/files/libmikmod-3.2.0_beta2-CVE-2010-2546-2971.patch
121
122	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/libmikmod/files/libmikmod-3.2.0_beta2-CVE-2010-2546-2971.patch?rev=1.1&view=markup
123	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/libmikmod/files/libmikmod-3.2.0_beta2-CVE-2010-2546-2971.patch?rev=1.1&content-type=text/plain
124
125	Index: libmikmod-3.2.0_beta2-CVE-2010-2546-2971.patch
126	===================================================================
127	Related: https://bugzilla.redhat.com/show_bug.cgi?id=614643#c6
128	Gentoo-bug: http://bugs.gentoo.org/335892
129	--- loaders/load_it.c.orig 2010-07-22 16:02:16.000000000 +0200
130	+++ loaders/load_it.c 2010-07-22 16:07:48.000000000 +0200
131	@@ -743,6 +743,8 @@ BOOL IT_Load(BOOL curious)
132	#define IT_LoadEnvelope(name,type) \
133	ih. name##flg =_mm_read_UBYTE(modreader); \
134	ih. name##pts =_mm_read_UBYTE(modreader); \
135	+ if (ih. name##pts > ITENVCNT) \
136	+ ih. name##pts = ITENVCNT; \
137	ih. name##beg =_mm_read_UBYTE(modreader); \
138	ih. name##end =_mm_read_UBYTE(modreader); \
139	ih. name##susbeg=_mm_read_UBYTE(modreader); \
140	@@ -756,6 +758,8 @@ BOOL IT_Load(BOOL curious)
141	#define IT_LoadEnvelope(name,type) \
142	ih. name/**/flg =_mm_read_UBYTE(modreader); \
143	ih. name/**/pts =_mm_read_UBYTE(modreader); \
144	+ if (ih. name/**/pts > ITENVCNT) \
145	+ ih. name/**/pts = ITENVCNT; \
146	ih. name/**/beg =_mm_read_UBYTE(modreader); \
147	ih. name/**/end =_mm_read_UBYTE(modreader); \
148	ih. name/**/susbeg=_mm_read_UBYTE(modreader); \
149	@@ -862,10 +866,6 @@ BOOL IT_Load(BOOL curious)
150	#endif
151
152	IT_ProcessEnvelope(vol);
153	- /* fix for CVE-2009-3995 - snatched from SuSe's fix -- AW */
154	- if (ih.volpts>= ENVPOINTS)
155	- ih.volpts = ENVPOINTS-1;
156	-
157	for(u=0;u<ih.volpts;u++)
158	d->volenv[u].val=(ih.volnode[u]<<2);
159
160
161
162
163	1.1 media-libs/libmikmod/files/libmikmod-3.2.0_beta2-pa-workaround.patch
164
165	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/libmikmod/files/libmikmod-3.2.0_beta2-pa-workaround.patch?rev=1.1&view=markup
166	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/libmikmod/files/libmikmod-3.2.0_beta2-pa-workaround.patch?rev=1.1&content-type=text/plain
167
168	Index: libmikmod-3.2.0_beta2-pa-workaround.patch
169	===================================================================
170	Under padsp wrapper mikmod returns
171	buffinf.fragments = -1; buffinf.bytes = -65535.
172	Buggy oss emulation layer in pulseaudio.
173	More details in upstream report:
174
175	Gentoo-bug: http://bugs.gentoo.org/300525
176	Upstream-bug: https://bugs.freedesktop.org/show_bug.cgi?id=45643
177	diff --git a/drivers/drv_oss.c b/drivers/drv_oss.c
178	index 27766f2..74864c2 100644
179	--- a/drivers/drv_oss.c
180	+++ b/drivers/drv_oss.c
181	@@ -327,7 +327,7 @@ static void OSS_Update(void)
182	buffinf.fragments--;
183	buffinf.fragsize = buffinf.bytes = buffersize;
184	}
185	- if(!buffinf.fragments)
186	+ if(buffinf.fragments < 1)
187	break;
188	done=VC_WriteBytes(audiobuffer,buffinf.fragsize>buffinf.bytes?
189	buffinf.bytes:buffinf.fragsize);

Gentoo Archives: gentoo-commits