main/ffmpeg: security fix (CVE-2011-3504)

fixes #804

main/ffmpeg/APKBUILD

@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=ffmpeg
 pkgver=0.6.1
-pkgrel=1
+pkgrel=2
 pkgdesc="Complete and free Internet live audio and video broadcasting solution for Linux/Unix"
 url="http://ffmpeg.mplayerhq.hu/"
 license="GPL"
@@ -10,12 +10,14 @@ makedepends="lame-dev libvorbis-dev faad2-dev faac-dev xvidcore-dev zlib-dev
 	imlib2-dev x264-dev libtheora-dev coreutils bzip2-dev perl libvpx-dev"
 depends=
 source="http://ffmpeg.org/releases/ffmpeg-$pkgver.tar.bz2
+	cve-2011-3504.patch
 	pic.patch"
 
 _builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
 	cd "$_builddir"
-	patch -p1 -i "$srcdir"/pic.patch
+	patch -p1 -i "$srcdir"/pic.patch || return 1
+	patch -p1 -i "$srcdir"/cve-2011-3504.patch || return 1
 }
 
 build() {
@@ -52,4 +54,5 @@ package() {
 #	strip --strip-debug "$pkgdir"/usr/lib/*.a || return 1
 }
 md5sums="4f5d732d25eedfb072251b5314ba2093  ffmpeg-0.6.1.tar.bz2
+7efdfc8423314500a9ae1327d5f368c2  cve-2011-3504.patch
 d4870ae7350caed041d2b39e406a173b  pic.patch"

main/ffmpeg/cve-2011-3504.patch

@@ -0,0 +1,113 @@
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Thu, 28 Jul 2011 12:59:54 +0000 (+0200)
+Subject: Fix memory (re)allocation in matroskadec.c, related to MSVR-11-0080.
+X-Git-Url: http://git.libav.org/?p=libav.git;a=commitdiff_plain;h=77d2ef13a8fa630e5081f14bde3fd20f84c90aec
+
+Fix memory (re)allocation in matroskadec.c, related to MSVR-11-0080.
+
+Whitespace of the patch cleaned up by Aurel
+Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR)
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+
+(cherry picked from commit 956c901c68eff78288f40e3c8f41ee2fa081d4a8)
+
+Further suggestions from Kostya <kostya.shishkov@gmail.com> have been
+implemented by Reinhard Tartler <siretart@tauware.de>
+
+Signed-off-by: Reinhard Tartler <siretart@tauware.de>
+---
+
+diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
+index af5532b..89df095 100644
+--- a/libavformat/matroskadec.c
++++ b/libavformat/matroskadec.c
+@@ -801,11 +801,15 @@ static int ebml_parse_elem(MatroskaDemuxContext *matroska,
+     uint32_t id = syntax->id;
+     uint64_t length;
+     int res;
++    void *newelem;
+ 
+     data = (char *)data + syntax->data_offset;
+     if (syntax->list_elem_size) {
+         EbmlList *list = data;
+-        list->elem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size);
++        newelem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size);
++        if (!newelem)
++            return AVERROR(ENOMEM);
++        list->elem = newelem;
+         data = (char*)list->elem + list->nb_elem*syntax->list_elem_size;
+         memset(data, 0, syntax->list_elem_size);
+         list->nb_elem++;
+@@ -935,6 +939,7 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
+     uint8_t* data = *buf;
+     int isize = *buf_size;
+     uint8_t* pkt_data = NULL;
++    uint8_t* newpktdata;
+     int pkt_size = isize;
+     int result = 0;
+     int olen;
+@@ -964,7 +969,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
+         zstream.avail_in = isize;
+         do {
+             pkt_size *= 3;
+-            pkt_data = av_realloc(pkt_data, pkt_size);
++            newpktdata = av_realloc(pkt_data, pkt_size);
++            if (!newpktdata) {
++                inflateEnd(&zstream);
++                goto failed;
++            }
++            pkt_data = newpktdata;
+             zstream.avail_out = pkt_size - zstream.total_out;
+             zstream.next_out = pkt_data + zstream.total_out;
+             result = inflate(&zstream, Z_NO_FLUSH);
+@@ -985,7 +995,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
+         bzstream.avail_in = isize;
+         do {
+             pkt_size *= 3;
+-            pkt_data = av_realloc(pkt_data, pkt_size);
++            newpktdata = av_realloc(pkt_data, pkt_size);
++            if (!newpktdata) {
++                BZ2_bzDecompressEnd(&bzstream);
++                goto failed;
++            }
++            pkt_data = newpktdata;
+             bzstream.avail_out = pkt_size - bzstream.total_out_lo32;
+             bzstream.next_out = pkt_data + bzstream.total_out_lo32;
+             result = BZ2_bzDecompress(&bzstream);
+@@ -1040,13 +1055,17 @@ static void matroska_fix_ass_packet(MatroskaDemuxContext *matroska,
+     }
+ }
+ 
+-static void matroska_merge_packets(AVPacket *out, AVPacket *in)
++static int matroska_merge_packets(AVPacket *out, AVPacket *in)
+ {
+-    out->data = av_realloc(out->data, out->size+in->size);
++    void *newdata = av_realloc(out->data, out->size+in->size);
++    if (!newdata)
++        return AVERROR(ENOMEM);
++    out->data = newdata;
+     memcpy(out->data+out->size, in->data, in->size);
+     out->size += in->size;
+     av_destruct_packet(in);
+     av_free(in);
++    return 0;
+ }
+ 
+ static void matroska_convert_tag(AVFormatContext *s, EbmlList *list,
+@@ -1604,11 +1623,13 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska,
+         memcpy(pkt, matroska->packets[0], sizeof(AVPacket));
+         av_free(matroska->packets[0]);
+         if (matroska->num_packets > 1) {
++            void *newpackets;
+             memmove(&matroska->packets[0], &matroska->packets[1],
+                     (matroska->num_packets - 1) * sizeof(AVPacket *));
+-            matroska->packets =
+-                av_realloc(matroska->packets, (matroska->num_packets - 1) *
+-                           sizeof(AVPacket *));
++            newpackets = av_realloc(matroska->packets,
++                            (matroska->num_packets - 1) * sizeof(AVPacket *));
++            if (newpackets)
++                matroska->packets = newpackets;
+         } else {
+             av_freep(&matroska->packets);
+         }