From d4b4da9013c3d5548d20797f7bb8f90a8dd7639b Mon Sep 17 00:00:00 2001
From: André Fabian Silva Delgado <emulatorman@lavabit.com>
Date: Wed, 15 May 2013 17:23:28 -0300
Subject: mplayer-vaapi-libre-35107-7: Fix out of bound write access when
 parsing .srt

---
 libre/mplayer-vaapi-libre/PKGBUILD                 | 22 +++++---
 .../subreader-fix-srt-parsing.patch                | 60 ++++++++++++++++++++++
 2 files changed, 76 insertions(+), 6 deletions(-)
 create mode 100644 libre/mplayer-vaapi-libre/subreader-fix-srt-parsing.patch

diff --git a/libre/mplayer-vaapi-libre/PKGBUILD b/libre/mplayer-vaapi-libre/PKGBUILD
index 3b0ef9080..93958ca69 100644
--- a/libre/mplayer-vaapi-libre/PKGBUILD
+++ b/libre/mplayer-vaapi-libre/PKGBUILD
@@ -1,4 +1,4 @@
-# $Id$
+# $Id: PKGBUILD 90856 2013-05-14 23:55:05Z foutrelis $
 # Maintainer: Evangelos Foutras <evangelos@foutrelis.com>
 # Contributor: Ionut Biru <ibiru@archlinux.org>
 # Contributor: Hugo Doria <hugo@archlinux.org>
@@ -8,8 +8,8 @@
 
 pkgname=mplayer-vaapi-libre
 pkgver=35107
-pkgrel=5
-pkgdesc="A movie player, compiled with vaapi (without unfree faac support)"
+pkgrel=7
+pkgdesc="A movie player, compiled with vaapi, without nonfree faac support"
 arch=('i686' 'x86_64' 'mips64el')
 url="http://gitorious.org/vaapi/mplayer"
 license=('GPL')
@@ -26,19 +26,29 @@ replaces=('mplayer-vaapi')
 backup=('etc/mplayer/codecs.conf' 'etc/mplayer/input.conf')
 source=(http://pkgbuild.com/~foutrelis/mplayer-vaapi-$pkgver.tar.xz
         cdio-includes.patch
-        tweak-desktop-file.patch)
+        tweak-desktop-file.patch
+        subreader-fix-srt-parsing.patch)
 options=('!buildflags' '!emptydirs')
 install=mplayer-vaapi.install
 sha256sums=('a6c645625cc2cd6ca48764db302c926049f831e757857ece351b37b674e05e56'
             '72e6c654f9733953ad2466d0ea1a52f23e753791d8232d90f13293eb1b358720'
-            '5a09fb462729a4e573568f9e8c1f57dbe7f69c0b68cfa4f6d70b3e52c450d93b')
+            '5a09fb462729a4e573568f9e8c1f57dbe7f69c0b68cfa4f6d70b3e52c450d93b'
+            '69127a5576e4f1f62f688215bd2ec0e052ddcb36292c7a1766c146ff122cb092')
 
-build() {
+
+prepare() {
   cd "$srcdir/mplayer-vaapi-$pkgver"
 
   patch -Np0 -i "$srcdir/cdio-includes.patch"
   patch -d etc -Np0 -i "$srcdir/tweak-desktop-file.patch"
 
+  # http://bugzilla.mplayerhq.hu/show_bug.cgi?id=2139
+  patch -Np1 -i "$srcdir/subreader-fix-srt-parsing.patch"
+}
+
+build() {
+  cd "$srcdir/mplayer-vaapi-$pkgver"
+
   ./configure \
     --prefix=/usr \
     --enable-runtime-cpudetection \
diff --git a/libre/mplayer-vaapi-libre/subreader-fix-srt-parsing.patch b/libre/mplayer-vaapi-libre/subreader-fix-srt-parsing.patch
new file mode 100644
index 000000000..84f2de4d9
--- /dev/null
+++ b/libre/mplayer-vaapi-libre/subreader-fix-srt-parsing.patch
@@ -0,0 +1,60 @@
+From d98e61ea438db66323734ad1b6bea66411a3c97b Mon Sep 17 00:00:00 2001
+From: wm4 <wm4@nowhere>
+Date: Tue, 30 Apr 2013 00:09:31 +0200
+Subject: [PATCH] subreader: fix out of bound write access when parsing .srt
+
+This broke .srt subtitles on gcc-4.8. The breakage was relatively
+subtle: it set all hour components to 0, while everything else was
+parsed successfully.
+
+But the problem is really that sscanf wrote 1 byte past the sep
+variable (or more, for invalid/specially prepared input). The %[..]
+format specifier is unbounded. Fix that by letting sscanf drop the
+parsed contents with "*", and also make it skip only one input
+character by adding "1" (=> "%*1[...").
+
+The out of bound write could easily lead to security issues.
+
+Also, this change makes .srt subtitle parsing slightly more strict.
+Strictly speaking this is an unrelated change, but do it anyway. It's
+more correct.
+---
+ sub/subreader.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+ (foutrelis: adjusted variable names in first hunk to apply to mplayer)
+
+diff --git a/sub/subreader.c b/sub/subreader.c
+index 23da4c7..0f1b6c9 100644
+--- a/sub/subreader.c
++++ b/sub/subreader.c
+@@ -386,14 +386,14 @@ static subtitle *sub_ass_read_line_subviewer(stream_t *st, subtitle *current,
+     int h1, m1, s1, ms1, h2, m2, s2, ms2, j = 0;
+ 
+     while (!current->text[0]) {
+-        char line[LINE_LEN + 1], full_line[LINE_LEN + 1], sep;
++        char line[LINE_LEN + 1], full_line[LINE_LEN + 1];
+         int i;
+ 
+         /* Parse SubRip header */
+         if (!stream_read_line(st, line, LINE_LEN, utf16))
+             return NULL;
+-        if (sscanf(line, "%d:%d:%d%[,.:]%d --> %d:%d:%d%[,.:]%d",
+-                     &h1, &m1, &s1, &sep, &ms1, &h2, &m2, &s2, &sep, &ms2) < 10)
++        if (sscanf(line, "%d:%d:%d%*1[,.:]%d --> %d:%d:%d%*1[,.:]%d",
++                     &h1, &m1, &s1, &ms1, &h2, &m2, &s2, &ms2) < 8)
+             continue;
+ 
+         current->start = a1 * 360000 + a2 * 6000 + a3 * 100 + a4 / 10;
+@@ -450,7 +450,7 @@ static subtitle *sub_read_line_subviewer(stream_t *st,subtitle *current,
+         return sub_ass_read_line_subviewer(st, current, args);
+     while (!current->text[0]) {
+ 	if (!stream_read_line (st, line, LINE_LEN, utf16)) return NULL;
+-	if ((len=sscanf (line, "%d:%d:%d%[,.:]%d --> %d:%d:%d%[,.:]%d",&a1,&a2,&a3,(char *)&i,&a4,&b1,&b2,&b3,(char *)&i,&b4)) < 10)
++	if ((len=sscanf (line, "%d:%d:%d%*1[,.:]%d --> %d:%d:%d%*1[,.:]%d",&a1,&a2,&a3,&a4,&b1,&b2,&b3,&b4)) < 8)
+ 	    continue;
+ 	current->start = a1*360000+a2*6000+a3*100+a4/10;
+ 	current->end   = b1*360000+b2*6000+b3*100+b4/10;
+-- 
+1.8.1.6
+
-- 
cgit v1.2.3