[xmms] fix CVE-2007-0653 (better late than never, huh?), fix alsa output plugin loop, fix desktop file
Tom Callaway
spot at fedoraproject.org
Fri Jul 15 19:55:33 UTC 2011
commit 06537926ab103c54968d447fd6f4f2c9eb9bf1d4
Author: Tom "spot" Callaway <tcallawa at redhat.com>
Date: Fri Jul 15 15:55:19 2011 -0400
fix CVE-2007-0653 (better late than never, huh?), fix alsa output plugin loop, fix desktop file
xmms-1.2.10-ubuntu-CVE-2007-0653.patch | 44 +++++++++++++++++++
xmms-alsa-fix-loop.patch | 72 ++++++++++++++++++++++++++++++++
xmms.desktop | 2 +-
xmms.spec | 4 ++
4 files changed, 121 insertions(+), 1 deletions(-)
---
diff --git a/xmms-1.2.10-ubuntu-CVE-2007-0653.patch b/xmms-1.2.10-ubuntu-CVE-2007-0653.patch
new file mode 100644
index 0000000..d5c7185
--- /dev/null
+++ b/xmms-1.2.10-ubuntu-CVE-2007-0653.patch
@@ -0,0 +1,44 @@
+diff -up xmms-1.2.11-20071117cvs/xmms/bmp.c.CVE-2007-0653 xmms-1.2.11-20071117cvs/xmms/bmp.c
+--- xmms-1.2.11-20071117cvs/xmms/bmp.c.CVE-2007-0653 2006-07-10 17:45:11.000000000 -0400
++++ xmms-1.2.11-20071117cvs/xmms/bmp.c 2011-07-14 15:54:02.497834489 -0400
+@@ -19,6 +19,12 @@
+ */
+ #include "xmms.h"
+
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ struct rgb_quad
+ {
+ guchar rgbBlue;
+@@ -183,7 +189,7 @@ GdkPixmap *read_bmp(gchar * filename)
+ }
+ else if (bitcount != 24 && bitcount != 16 && bitcount != 32)
+ {
+- gint ncols, i;
++ guint32 ncols, i;
+
+ ncols = offset - headSize - 14;
+ if (headSize == 12)
+@@ -201,9 +207,17 @@ GdkPixmap *read_bmp(gchar * filename)
+ }
+ }
+ fseek(file, offset, SEEK_SET);
++ /* verify buffer size */
++ if (!h || !w ||
++ w > (((UINT32_MAX - 3) / 3) / h) ||
++ h > (((UINT32_MAX - 3) / 3) / w)) {
++ g_warning("read_bmp(): width(%u)*height(%u) too large", w, h);
++ fclose(file);
++ return NULL;
++ }
++ data = g_malloc0((w * 3 * h) + 3); /* +3 is just for safety */
+ buffer = g_malloc(imgsize);
+ fread(buffer, imgsize, 1, file);
+- data = g_malloc0((w * 3 * h) + 3); /* +3 is just for safety */
+
+ if (bitcount == 1)
+ read_1b_rgb(buffer, imgsize, data, w, h, rgb_quads);
diff --git a/xmms-alsa-fix-loop.patch b/xmms-alsa-fix-loop.patch
new file mode 100644
index 0000000..80b196a
--- /dev/null
+++ b/xmms-alsa-fix-loop.patch
@@ -0,0 +1,72 @@
+diff -up xmms-1.2.11-20071117cvs/Output/alsa/audio.c.debug xmms-1.2.11-20071117cvs/Output/alsa/audio.c
+--- xmms-1.2.11-20071117cvs/Output/alsa/audio.c.debug 2006-07-25 17:45:08.000000000 -0400
++++ xmms-1.2.11-20071117cvs/Output/alsa/audio.c 2011-07-14 17:44:59.751503336 -0400
+@@ -807,7 +807,7 @@ static void *alsa_loop(void *arg)
+ unsigned short *revents;
+
+ if (npfds <= 0)
+- goto _error;
++ goto _cleanup;
+ pfds = alloca(sizeof(*pfds) * npfds);
+ revents = alloca(sizeof(*revents) * npfds);
+ while (going && alsa_pcm)
+@@ -828,16 +828,34 @@ static void *alsa_loop(void *arg)
+ int i;
+ snd_pcm_poll_descriptors_revents(alsa_pcm, pfds,
+ npfds, revents);
+- for (i = 0; i < npfds; i++)
++ for (i = 0; i < npfds; i++)
++ {
+ if (revents[i] & POLLOUT)
+ {
++ debug("calling alsa_write_out_thread_data()");
+ alsa_write_out_thread_data();
++ debug("done with alsa_write_out_thread_data, break!");
+ break;
+- }
++ }
++ debug("Still in the for loop");
++ }
++ debug("Out of the for loop, but still in the if poll.");
+ }
++ debug("Still in the not-paused not-prebuffer conditional");
+ }
+ else
+- xmms_usleep(10000);
++ {
++ if (paused)
++ debug("Sorry, I'm paused. Taking a little nap.");
++ if (prebuffer)
++ debug("Buffering like Real Player.");
++ if (paused || prebuffer) {
++ xmms_usleep(10000);
++ } else {
++ debug("All done!");
++ goto _cleanup;
++ }
++ }
+
+ if (pause_request != paused)
+ alsa_do_pause(pause_request);
+@@ -850,11 +868,12 @@ static void *alsa_loop(void *arg)
+ }
+ }
+
+- _error:
++ _cleanup:
+ alsa_close_pcm();
+ g_free(thread_buffer);
+ thread_buffer = NULL;
+ pthread_exit(NULL);
++ return;
+ }
+
+ /* open callback */
+@@ -901,6 +920,7 @@ int alsa_open(AFormat fmt, int rate, int
+ flush_request = -1;
+
+ pthread_create(&audio_thread, NULL, alsa_loop, NULL);
++ debug("Do we get here?");
+ return 1;
+ }
+
diff --git a/xmms.desktop b/xmms.desktop
index aa9b1f8..94c3326 100644
--- a/xmms.desktop
+++ b/xmms.desktop
@@ -69,7 +69,7 @@ Comment[vi]=Chơi tập tin nhạc Ogg Vorbis và các tập tin khác
Comment[zh_CN]=播放 Ogg Vorbis 及其它音频文件
Comment[zh_TW]=播放 Ogg Vorbis 以及其他音效檔案
Comment[zu]=Dlala i- Ogg Vorbis kanye namafayela okuzwa
-Exec=xmms -e %F
+Exec=xmms -e -p %F
Icon=xmms
MimeType=audio/x-mp3;audio/x-mod;audio/x-wav;audio/x-mpegurl;audio/mpegurl;audio/x-scpls;application/x-ogg;application/ogg
GenericName=Audio Player
diff --git a/xmms.spec b/xmms.spec
index cda5993..ce067d3 100644
--- a/xmms.spec
+++ b/xmms.spec
@@ -33,6 +33,8 @@ Patch12: %{name}-1.2.11-is_quitting.patch
Patch14: %{name}-1.2.10-configfile-safe-write.patch
Patch15: %{name}-1.2.10-reposition.patch
Patch16: %{name}-1.2.11-dso.patch
+Patch17: xmms-1.2.10-ubuntu-CVE-2007-0653.patch
+Patch18: xmms-alsa-fix-loop.patch
BuildRequires: gtk+-devel
BuildRequires: esound-devel
@@ -112,6 +114,8 @@ Files needed for building plug-ins for the X MultiMedia System.
%patch15 -p1
%patch9 -p1 -b .playonclick
%patch16 -p1 -b .dso
+%patch17 -p1 -b .CVE-2007-0653
+%patch18 -p1 -b .fix-loop
# Avoid standard rpaths on lib64 archs, --disable-rpath doesn't do it
sed -i -e 's|"/lib /usr/lib"|"/%{_lib} %{_libdir}"|' configure
More information about the scm-commits
mailing list