[xmms] fix CVE-2007-0653 (better late than never, huh?), fix alsa output plugin loop, fix desktop file

Tom Callaway spot at fedoraproject.org
Fri Jul 15 19:55:33 UTC 2011 

commit 06537926ab103c54968d447fd6f4f2c9eb9bf1d4
Author: Tom "spot" Callaway <tcallawa at redhat.com>
Date:   Fri Jul 15 15:55:19 2011 -0400

    fix CVE-2007-0653 (better late than never, huh?), fix alsa output plugin loop, fix desktop file

 xmms-1.2.10-ubuntu-CVE-2007-0653.patch |   44 +++++++++++++++++++
 xmms-alsa-fix-loop.patch               |   72 ++++++++++++++++++++++++++++++++
 xmms.desktop                           |    2 +-
 xmms.spec                              |    4 ++
 4 files changed, 121 insertions(+), 1 deletions(-)
---
diff --git a/xmms-1.2.10-ubuntu-CVE-2007-0653.patch b/xmms-1.2.10-ubuntu-CVE-2007-0653.patch
new file mode 100644
index 0000000..d5c7185
--- /dev/null
+++ b/xmms-1.2.10-ubuntu-CVE-2007-0653.patch
@@ -0,0 +1,44 @@
+diff -up xmms-1.2.11-20071117cvs/xmms/bmp.c.CVE-2007-0653 xmms-1.2.11-20071117cvs/xmms/bmp.c
+--- xmms-1.2.11-20071117cvs/xmms/bmp.c.CVE-2007-0653	2006-07-10 17:45:11.000000000 -0400
++++ xmms-1.2.11-20071117cvs/xmms/bmp.c	2011-07-14 15:54:02.497834489 -0400
+@@ -19,6 +19,12 @@
+  */
+ #include "xmms.h"
+ 
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ struct rgb_quad
+ {
+ 	guchar rgbBlue;
+@@ -183,7 +189,7 @@ GdkPixmap *read_bmp(gchar * filename)
+ 	}
+ 	else if (bitcount != 24 && bitcount != 16 && bitcount != 32)
+ 	{
+-		gint ncols, i;
++		guint32 ncols, i;
+ 
+ 		ncols = offset - headSize - 14;
+ 		if (headSize == 12)
+@@ -201,9 +207,17 @@ GdkPixmap *read_bmp(gchar * filename)
+ 		}
+ 	}
+ 	fseek(file, offset, SEEK_SET);
++	/* verify buffer size */
++	if (!h || !w ||
++	    w > (((UINT32_MAX - 3) / 3) / h) ||
++	    h > (((UINT32_MAX - 3) / 3) / w)) {
++		g_warning("read_bmp(): width(%u)*height(%u) too large", w, h);
++		fclose(file);
++		return NULL;
++	}
++	data = g_malloc0((w * 3 * h) + 3);	/* +3 is just for safety */
+ 	buffer = g_malloc(imgsize);
+ 	fread(buffer, imgsize, 1, file);
+-	data = g_malloc0((w * 3 * h) + 3);	/* +3 is just for safety */
+ 
+ 	if (bitcount == 1)
+ 		read_1b_rgb(buffer, imgsize, data, w, h, rgb_quads);
diff --git a/xmms-alsa-fix-loop.patch b/xmms-alsa-fix-loop.patch
new file mode 100644
index 0000000..80b196a
--- /dev/null
+++ b/xmms-alsa-fix-loop.patch
@@ -0,0 +1,72 @@
+diff -up xmms-1.2.11-20071117cvs/Output/alsa/audio.c.debug xmms-1.2.11-20071117cvs/Output/alsa/audio.c
+--- xmms-1.2.11-20071117cvs/Output/alsa/audio.c.debug	2006-07-25 17:45:08.000000000 -0400
++++ xmms-1.2.11-20071117cvs/Output/alsa/audio.c	2011-07-14 17:44:59.751503336 -0400
+@@ -807,7 +807,7 @@ static void *alsa_loop(void *arg)
+ 	unsigned short *revents;
+ 
+ 	if (npfds <= 0)
+-		goto _error;
++		goto _cleanup;
+ 	pfds = alloca(sizeof(*pfds) * npfds);
+ 	revents = alloca(sizeof(*revents) * npfds);
+ 	while (going && alsa_pcm)
+@@ -828,16 +828,34 @@ static void *alsa_loop(void *arg)
+ 				int i;
+ 				snd_pcm_poll_descriptors_revents(alsa_pcm, pfds,
+ 								 npfds, revents);
+-				for (i = 0; i < npfds; i++)
++				for (i = 0; i < npfds; i++) 
++				{
+ 					if (revents[i] & POLLOUT)
+ 					{
++						debug("calling alsa_write_out_thread_data()");
+ 						alsa_write_out_thread_data();
++						debug("done with alsa_write_out_thread_data, break!");
+ 						break;
+-					}
++					} 
++					debug("Still in the for loop");
++				}
++				debug("Out of the for loop, but still in the if poll.");	
+ 			}
++			debug("Still in the not-paused not-prebuffer conditional");
+ 		}
+ 		else
+-			xmms_usleep(10000);
++		{
++			if (paused)
++				debug("Sorry, I'm paused. Taking a little nap.");
++			if (prebuffer)
++				debug("Buffering like Real Player.");
++			if (paused || prebuffer) {
++				xmms_usleep(10000);
++			} else {
++				debug("All done!");
++				goto _cleanup;
++			}
++		}
+ 
+ 		if (pause_request != paused)
+ 			alsa_do_pause(pause_request);
+@@ -850,11 +868,12 @@ static void *alsa_loop(void *arg)
+ 		}
+ 	}
+ 
+- _error:
++ _cleanup:
+ 	alsa_close_pcm();
+ 	g_free(thread_buffer);
+ 	thread_buffer = NULL;
+ 	pthread_exit(NULL);
++	return;
+ }
+ 
+ /* open callback */
+@@ -901,6 +920,7 @@ int alsa_open(AFormat fmt, int rate, int
+ 	flush_request = -1;
+ 	
+ 	pthread_create(&audio_thread, NULL, alsa_loop, NULL);
++	debug("Do we get here?");
+ 	return 1;
+ }
+  
diff --git a/xmms.desktop b/xmms.desktop
index aa9b1f8..94c3326 100644
--- a/xmms.desktop
+++ b/xmms.desktop
@@ -69,7 +69,7 @@ Comment[vi]=Chơi tập tin nhạc Ogg Vorbis và các tập tin khác
 Comment[zh_CN]=播放 Ogg Vorbis 及其它音频文件
 Comment[zh_TW]=播放 Ogg Vorbis 以及其他音效檔案
 Comment[zu]=Dlala i- Ogg Vorbis kanye namafayela okuzwa
-Exec=xmms -e %F
+Exec=xmms -e -p %F
 Icon=xmms
 MimeType=audio/x-mp3;audio/x-mod;audio/x-wav;audio/x-mpegurl;audio/mpegurl;audio/x-scpls;application/x-ogg;application/ogg
 GenericName=Audio Player
diff --git a/xmms.spec b/xmms.spec
index cda5993..ce067d3 100644
--- a/xmms.spec
+++ b/xmms.spec
@@ -33,6 +33,8 @@ Patch12:        %{name}-1.2.11-is_quitting.patch
 Patch14:	%{name}-1.2.10-configfile-safe-write.patch
 Patch15:	%{name}-1.2.10-reposition.patch
 Patch16:	%{name}-1.2.11-dso.patch
+Patch17:	xmms-1.2.10-ubuntu-CVE-2007-0653.patch
+Patch18:	xmms-alsa-fix-loop.patch
 
 BuildRequires:  gtk+-devel
 BuildRequires:  esound-devel
@@ -112,6 +114,8 @@ Files needed for building plug-ins for the X MultiMedia System.
 %patch15 -p1
 %patch9 -p1 -b .playonclick
 %patch16 -p1 -b .dso
+%patch17 -p1 -b .CVE-2007-0653
+%patch18 -p1 -b .fix-loop
 # Avoid standard rpaths on lib64 archs, --disable-rpath doesn't do it
 sed -i -e 's|"/lib /usr/lib"|"/%{_lib} %{_libdir}"|' configure

More information about the scm-commits mailing list