From 415856bdd4f48ab4f2732996f0bae58595092bbe Mon Sep 17 00:00:00 2001 From: Parabola Date: Tue, 5 Apr 2011 14:26:38 +0000 Subject: Tue Apr 5 14:26:38 UTC 2011 --- extra/libid3tag/10_utf16.diff | 48 ++++++++++++++++++++++++++++++++ extra/libid3tag/11_unknown_encoding.diff | 37 ++++++++++++++++++++++++ extra/libid3tag/CVE-2008-2109.patch | 11 ++++++++ extra/libid3tag/PKGBUILD | 38 +++++++++++++++++++++++++ extra/libid3tag/id3tag.pc | 10 +++++++ 5 files changed, 144 insertions(+) create mode 100644 extra/libid3tag/10_utf16.diff create mode 100644 extra/libid3tag/11_unknown_encoding.diff create mode 100644 extra/libid3tag/CVE-2008-2109.patch create mode 100644 extra/libid3tag/PKGBUILD create mode 100644 extra/libid3tag/id3tag.pc (limited to 'extra/libid3tag') diff --git a/extra/libid3tag/10_utf16.diff b/extra/libid3tag/10_utf16.diff new file mode 100644 index 000000000..a3218d26d --- /dev/null +++ b/extra/libid3tag/10_utf16.diff @@ -0,0 +1,48 @@ +#! /bin/sh -e +## 10_utf16.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Handle bogus UTF16 sequences that have a length that is not +## DP: an even number of 8 bit characters. + +if [ $# -lt 1 ]; then + echo "`basename $0`: script expects -patch|-unpatch as argument" >&2 + exit 1 +fi + +[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts +patch_opts="${patch_opts:--f --no-backup-if-mismatch} ${2:+-d $2}" + +case "$1" in + -patch) patch -p1 ${patch_opts} < $0;; + -unpatch) patch -R -p1 ${patch_opts} < $0;; + *) + echo "`basename $0`: script expects -patch|-unpatch as argument" >&2 + exit 1;; +esac + +exit 0 + +@DPATCH@ +diff -urNad libid3tag-0.15.1b/utf16.c /tmp/dpep.tKvO7a/libid3tag-0.15.1b/utf16.c +--- libid3tag-0.15.1b/utf16.c 2006-01-13 15:26:29.000000000 +0100 ++++ /tmp/dpep.tKvO7a/libid3tag-0.15.1b/utf16.c 2006-01-13 15:27:19.000000000 +0100 +@@ -282,5 +282,18 @@ + + free(utf16); + ++ if (end == *ptr && length % 2 != 0) ++ { ++ /* We were called with a bogus length. It should always ++ * be an even number. We can deal with this in a few ways: ++ * - Always give an error. ++ * - Try and parse as much as we can and ++ * - return an error if we're called again when we ++ * already tried to parse everything we can. ++ * - tell that we parsed it, which is what we do here. ++ */ ++ (*ptr)++; ++ } ++ + return ucs4; + } diff --git a/extra/libid3tag/11_unknown_encoding.diff b/extra/libid3tag/11_unknown_encoding.diff new file mode 100644 index 000000000..7387f2f7d --- /dev/null +++ b/extra/libid3tag/11_unknown_encoding.diff @@ -0,0 +1,37 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 11_unknown_encoding.dpatch by Andreas Henriksson +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: In case of an unknown/invalid encoding, id3_parse_string() will +## DP: return NULL, but the return value wasn't checked resulting +## DP: in segfault in id3_ucs4_length(). This is the only place +## DP: the return value wasn't checked. + +@DPATCH@ +diff -urNad libid3tag-0.15.1b~/compat.gperf libid3tag-0.15.1b/compat.gperf +--- libid3tag-0.15.1b~/compat.gperf 2004-01-23 09:41:32.000000000 +0000 ++++ libid3tag-0.15.1b/compat.gperf 2007-01-14 14:36:53.000000000 +0000 +@@ -236,6 +236,10 @@ + + encoding = id3_parse_uint(&data, 1); + string = id3_parse_string(&data, end - data, encoding, 0); ++ if (!string) ++ { ++ continue; ++ } + + if (id3_ucs4_length(string) < 4) { + free(string); +diff -urNad libid3tag-0.15.1b~/parse.c libid3tag-0.15.1b/parse.c +--- libid3tag-0.15.1b~/parse.c 2004-01-23 09:41:32.000000000 +0000 ++++ libid3tag-0.15.1b/parse.c 2007-01-14 14:37:34.000000000 +0000 +@@ -165,6 +165,9 @@ + case ID3_FIELD_TEXTENCODING_UTF_8: + ucs4 = id3_utf8_deserialize(ptr, length); + break; ++ default: ++ /* FIXME: Unknown encoding! Print warning? */ ++ return NULL; + } + + if (ucs4 && !full) { diff --git a/extra/libid3tag/CVE-2008-2109.patch b/extra/libid3tag/CVE-2008-2109.patch new file mode 100644 index 000000000..26c54c5d2 --- /dev/null +++ b/extra/libid3tag/CVE-2008-2109.patch @@ -0,0 +1,11 @@ +--- field.c.orig 2008-05-05 09:49:15.000000000 -0400 ++++ field.c 2008-05-05 09:49:25.000000000 -0400 +@@ -291,7 +291,7 @@ + + end = *ptr + length; + +- while (end - *ptr > 0) { ++ while (end - *ptr > 0 && **ptr != '\0') { + ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0); + if (ucs4 == 0) + goto fail; diff --git a/extra/libid3tag/PKGBUILD b/extra/libid3tag/PKGBUILD new file mode 100644 index 000000000..759e99240 --- /dev/null +++ b/extra/libid3tag/PKGBUILD @@ -0,0 +1,38 @@ +# $Id: PKGBUILD 90138 2010-09-08 13:24:51Z andrea $ +# Maintainer: +# Contributor: dorphell + +pkgname=libid3tag +pkgver=0.15.1b +pkgrel=6 +pkgdesc="library for id3 tagging" +arch=('i686' 'x86_64') +url="http://www.underbit.com/products/mad/" +license=('GPL') +depends=('zlib') +makedepends=('gperf') +options=('!libtool') +source=("ftp://ftp.mars.org/pub/mpeg/${pkgname}-${pkgver}.tar.gz" + 'id3tag.pc' + '10_utf16.diff' '11_unknown_encoding.diff' 'CVE-2008-2109.patch') +md5sums=('e5808ad997ba32c498803822078748c3' + '8bb41fd814fafcc37ec8bc88f5545a4a' + '4f9df4011e6a8c23240fff5de2d05f6e' + '3ca856b97924d48a0fdfeff0bd83ce7d' + 'c51822ea6301b1ca469975f0c9ee8e34') + +build() { + cd "${srcdir}/${pkgname}-${pkgver}" + patch -p1 < ../10_utf16.diff + patch -p1 < ../11_unknown_encoding.diff + patch -Np0 -i ${srcdir}/CVE-2008-2109.patch + + ./configure --prefix=/usr + make +} + +package() { + cd "${srcdir}/${pkgname}-${pkgver}" + make DESTDIR="${pkgdir}" install + install -D -m644 "${srcdir}/id3tag.pc" "${pkgdir}/usr/lib/pkgconfig/id3tag.pc" +} diff --git a/extra/libid3tag/id3tag.pc b/extra/libid3tag/id3tag.pc new file mode 100644 index 000000000..3155de7b3 --- /dev/null +++ b/extra/libid3tag/id3tag.pc @@ -0,0 +1,10 @@ +prefix=/usr +exec_prefix=/usr/bin +libdir=/usr/lib +includedir=/usr/include + +Name: ID3TAG +Description: libid3tag - ID3 tag manipulation library +Version: 0.15.0b +Libs: -L${libdir} -lid3tag -lz +Cflags: -- cgit v1.2.3-54-g00ecf