3 files changed, 153 insertions, 9 deletions

diff --git a/extra/libmodplug/PKGBUILD b/extra/libmodplug/PKGBUILD
index 0db663908..9241d3603 100644
--- a/extra/libmodplug/PKGBUILD
+++ b/extra/libmodplug/PKGBUILD
@@ -1,28 +1,35 @@
-# $Id: PKGBUILD 150611 2012-02-18 22:54:35Z pierre $
-# Maintainer:
-# Contributor: Jan de Groot <jgc@archlinux.org>
-# Contributor: Patrick Leslie Polzer <leslie.polzer@gmx.net>
+# $Id: PKGBUILD 193909 2013-09-05 20:04:00Z eric $
+# Maintainer: Eric Bélanger <eric@archlinux.org>
 
 pkgname=libmodplug
 pkgver=0.8.8.4
-pkgrel=1
+pkgrel=2
 pkgdesc="A MOD playing library"
 arch=('i686' 'x86_64')
 url="http://modplug-xmms.sourceforge.net/"
 license=('custom')
 depends=('gcc-libs')
 options=('!libtool')
-source=("http://downloads.sourceforge.net/modplug-xmms/${pkgname}-${pkgver}.tar.gz")
-md5sums=('fddc3c704c5489de2a3cf0fedfec59db')
+source=(http://downloads.sourceforge.net/modplug-xmms/${pkgname}-${pkgver}.tar.gz
+        libmodplug-CVE-2013-4233-Fix.patch libmodplug-CVE-2013-4234-Fix.patch)
+sha1sums=('df4deffe542b501070ccb0aee37d875ebb0c9e22'
+          'daee7fba80f633236a3d09ad19225c57013140e9'
+          '2e870747261a86dce5056cbf077c5914e9e8b287')
+
+prepare() {
+  cd ${pkgname}-${pkgver}
+  patch -p2 -i "${srcdir}/libmodplug-CVE-2013-4233-Fix.patch"
+  patch -p2 -i "${srcdir}/libmodplug-CVE-2013-4234-Fix.patch"
+}
 
 build() {
-  cd "${srcdir}/${pkgname}-${pkgver}"
+  cd ${pkgname}-${pkgver}
   ./configure --prefix=/usr
   make
 }
 
 package() {
-  cd "${srcdir}/${pkgname}-${pkgver}"
+  cd ${pkgname}-${pkgver}
   make DESTDIR="${pkgdir}" install
   install -D -m644 COPYING "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
 }
diff --git a/extra/libmodplug/libmodplug-CVE-2013-4233-Fix.patch b/extra/libmodplug/libmodplug-CVE-2013-4233-Fix.patch
new file mode 100644
index 000000000..288b44d13
--- /dev/null
+++ b/extra/libmodplug/libmodplug-CVE-2013-4233-Fix.patch
@@ -0,0 +1,42 @@
+From c4d4e047862649a75f6dba905c613aff0df81309 Mon Sep 17 00:00:00 2001
+From: Konstanty Bialkowski <konstanty@ieee.org>
+Date: Wed, 14 Aug 2013 14:15:27 +1000
+Subject: [PATCH] CVE-2013-4233 Fix
+
+Integer overflow in j variable
+
+-- reported by Florian "Agix" Gaultier
+---
+ libmodplug/src/load_abc.cpp | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/libmodplug/src/load_abc.cpp b/libmodplug/src/load_abc.cpp
+index 9f4b328..ecb7b62 100644
+--- a/libmodplug/src/load_abc.cpp
++++ b/libmodplug/src/load_abc.cpp
+@@ -1814,7 +1814,7 @@ static int abc_extract_tempo(const char *p, int invoice)
+ 
+ static void	abc_set_parts(char **d, char *p)
+ {
+-	int i,j,k,m,n;
++	int i,j,k,m,n,size;
+ 	char *q;
+ #ifdef NEWMIKMOD
+ 	static MM_ALLOC *h;
+@@ -1852,10 +1852,11 @@ static void	abc_set_parts(char **d, char *p)
+ 			i += n-1;
+ 		}
+ 	}
+-	q = (char *)_mm_calloc(h, j+1, sizeof(char));	// enough storage for the worst case
++	size = (j + 1) > 0 ? j+1 : j;
++	q = (char *)_mm_calloc(h, size, sizeof(char));	// enough storage for the worst case
+ 	// now copy bytes from p to *d, taking parens and digits in account
+ 	j = 0;
+-	for( i=0; p[i] && p[i] != '%'; i++ ) {
++	for( i=0; p[i] && p[i] != '%' && j < size; i++ ) {
+ 		if( isdigit(p[i]) || isupper(p[i]) || p[i] == '(' || p[i] == ')' ) {
+ 			if( p[i] == ')' ) {
+ 				for( n=j; n > 0 && q[n-1] != '('; n-- )	;	// find open paren in q
+-- 
+1.8.4
+
diff --git a/extra/libmodplug/libmodplug-CVE-2013-4234-Fix.patch b/extra/libmodplug/libmodplug-CVE-2013-4234-Fix.patch
new file mode 100644
index 000000000..c4b105d19
--- /dev/null
+++ b/extra/libmodplug/libmodplug-CVE-2013-4234-Fix.patch
@@ -0,0 +1,95 @@
+From 5de53a46283e7c463115444a9339978011dab961 Mon Sep 17 00:00:00 2001
+From: Konstanty Bialkowski <konstanty@ieee.org>
+Date: Wed, 14 Aug 2013 15:15:09 +1000
+Subject: [PATCH] CVE-2013-4234 Fix
+
+Heap overflow in abc_MIDI_drum + abc_MIDI_gchord
+
+-- reported by Florian "Agix" Gaultier
+---
+ libmodplug/src/load_abc.cpp | 34 +++++++++++++++++++++++-----------
+ 1 file changed, 23 insertions(+), 11 deletions(-)
+
+diff --git a/libmodplug/src/load_abc.cpp b/libmodplug/src/load_abc.cpp
+index ecb7b62..dd9cc6b 100644
+--- a/libmodplug/src/load_abc.cpp
++++ b/libmodplug/src/load_abc.cpp
+@@ -3205,27 +3205,33 @@ static void abc_MIDI_chordname(const char *p)
+ static int abc_MIDI_drum(const char *p, ABCHANDLE *h)
+ {
+ 	char *q;
+-	int i,n,m;
++	int i, n, m, len;
+ 	while( isspace(*p) ) p++;
+ 	if( !strncmp(p,"on",2) && (isspace(p[2]) || p[2] == '\0') ) return 2;
+ 	if( !strncmp(p,"off",3) && (isspace(p[3]) || p[3] == '\0') ) return 1;
+-	n = 0;
++	n = 0; len = 0;
+ 	for( q = h->drum; *p && !isspace(*p); p++ ) {
+ 		if( !strchr("dz0123456789",*p) ) break;
+-		*q++ = *p;
+-		if( !isdigit(*p) ) {
+-			if( !isdigit(p[1]) ) *q++ = '1';
++		*q++ = *p; len++;
++		if( !isdigit(*p) && len < sizeof(h->drum)-1 ) {
++			if( !isdigit(p[1]) ) { *q++ = '1'; len ++; }
+ 			n++; // count the silences too....
+ 		}
++		if (len >= sizeof(h->drum)-1) {
++			// consume the rest of the input
++			// definitely enough "drum last state" stored.
++			while ( *p && !isspace(*p) ) p++;
++			break;
++		}
+ 	}
+ 	*q = '\0';
+ 	q = h->drumins;
+ 	for( i = 0; i<n; i++ ) {
+ 		if( h->drum[i*2] == 'd' ) {
+-			while( isspace(*p) ) p++;
++			while( *p && isspace(*p) ) p++;
+ 			if( !isdigit(*p) ) {
+ 				m = 0;
+-				while( !isspace(*p) ) p++;
++				while( *p && !isspace(*p) ) p++;
+ 			}
+ 			else
+ 				p += abc_getnumber(p,&m);
+@@ -3236,10 +3242,10 @@ static int abc_MIDI_drum(const char *p, ABCHANDLE *h)
+ 	q = h->drumvol;
+ 	for( i = 0; i<n; i++ ) {
+ 		if( h->drum[i*2] == 'd' ) {
+-			while( isspace(*p) ) p++;
++			while( *p && isspace(*p) ) p++;
+ 			if( !isdigit(*p) ) {
+ 				m = 0;
+-				while( !isspace(*p) ) p++;
++				while( *p && !isspace(*p) ) p++;
+ 			}
+ 			else
+ 				p += abc_getnumber(p,&m);
+@@ -3254,13 +3260,19 @@ static int abc_MIDI_drum(const char *p, ABCHANDLE *h)
+ static int abc_MIDI_gchord(const char *p, ABCHANDLE *h)
+ {
+ 	char *q;
++	int len = 0;
+ 	while( isspace(*p) ) p++;
+ 	if( !strncmp(p,"on",2) && (isspace(p[2]) || p[2] == '\0') ) return 2;
+ 	if( !strncmp(p,"off",3) && (isspace(p[3]) || p[3] == '\0') ) return 1;
+ 	for( q = h->gchord; *p && !isspace(*p); p++ ) {
+ 		if( !strchr("fbcz0123456789ghijGHIJ",*p) ) break;
+-		*q++ = *p;
+-		if( !isdigit(*p) && !isdigit(p[1]) ) *q++ = '1';
++		*q++ = *p; len++;
++		if( !isdigit(*p) && len < sizeof(h->gchord)-1 && !isdigit(p[1]) ) { *q++ = '1'; len ++; }
++		if (len >= sizeof(h->gchord)-1) {
++			// consume the rest of the input
++			// definitely enough "drum last state" stored.
++			while ( *p && !isspace(*p) ) p++;
++		}
+ 	}
+ 	*q = '\0';
+ 	return 0;
+-- 
+1.8.4
+