Hello community, here is the log from the commit of package mpg123 for openSUSE:Factory checked in at 2017-07-28 09:42:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mpg123 (Old) and /work/SRC/openSUSE:Factory/.mpg123.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mpg123" Fri Jul 28 09:42:37 2017 rev:6 rq:512250 version:1.25.4 Changes: -------- --- /work/SRC/openSUSE:Factory/mpg123/mpg123.changes 2017-07-23 12:13:35.818549601 +0200 +++ /work/SRC/openSUSE:Factory/.mpg123.new/mpg123.changes 2017-07-28 09:43:32.486924071 +0200 @@ -1,0 +2,9 @@ +Mon Jul 24 11:51:43 UTC 2017 - [email protected] + +- Update to version 1.25.4 + libmpg123: + * Prevent harmless call to memcpy(NULL, NULL, 0). + * More early checking of ID3v2 encoding values to avoid bogus + text being stored. + +------------------------------------------------------------------- Old: ---- mpg123-1.25.3.tar.bz2 mpg123-1.25.3.tar.bz2.sig New: ---- mpg123-1.25.4.tar.bz2 mpg123-1.25.4.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mpg123.spec ++++++ --- /var/tmp/diff_new_pack.HW96tG/_old 2017-07-28 09:43:33.038846336 +0200 +++ /var/tmp/diff_new_pack.HW96tG/_new 2017-07-28 09:43:33.042845772 +0200 @@ -17,7 +17,7 @@ Name: mpg123 -Version: 1.25.3 +Version: 1.25.4 Release: 0 Summary: Console MPEG audio player and decoder library License: LGPL-2.1 ++++++ mpg123-1.25.3.tar.bz2 -> mpg123-1.25.4.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.3/NEWS new/mpg123-1.25.4/NEWS --- old/mpg123-1.25.3/NEWS 2017-07-18 09:19:40.000000000 +0200 +++ new/mpg123-1.25.4/NEWS 2017-07-24 11:52:26.000000000 +0200 @@ -1,3 +1,11 @@ +1.25.4 +------ +- Better configure checks for i?86-apple-darwin (bug 253). +- libmpg123: +-- Prevent harmless call to memcpy(NULL, NULL, 0). +-- More early checking of ID3v2 encoding values to avoid bogus text being + stored. + 1.25.3 ------ - libmpg123: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.3/configure new/mpg123-1.25.4/configure --- old/mpg123-1.25.3/configure 2017-07-18 09:21:56.000000000 +0200 +++ new/mpg123-1.25.4/configure 2017-07-24 11:53:18.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for mpg123 1.25.3. +# Generated by GNU Autoconf 2.69 for mpg123 1.25.4. # # Report bugs to <[email protected]>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='mpg123' PACKAGE_TARNAME='mpg123' -PACKAGE_VERSION='1.25.3' -PACKAGE_STRING='mpg123 1.25.3' +PACKAGE_VERSION='1.25.4' +PACKAGE_STRING='mpg123 1.25.4' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -1567,7 +1567,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures mpg123 1.25.3 to adapt to many kinds of systems. +\`configure' configures mpg123 1.25.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1637,7 +1637,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of mpg123 1.25.3:";; + short | recursive ) echo "Configuration of mpg123 1.25.4:";; esac cat <<\_ACEOF @@ -1863,7 +1863,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -mpg123 configure 1.25.3 +mpg123 configure 1.25.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2469,7 +2469,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by mpg123 $as_me 1.25.3, which was +It was created by mpg123 $as_me 1.25.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3425,7 +3425,7 @@ # Define the identity of the package. PACKAGE='mpg123' - VERSION='1.25.3' + VERSION='1.25.4' cat >>confdefs.h <<_ACEOF @@ -14930,7 +14930,7 @@ *-*-linux*|*-*-kfreebsd*-gnu) cpu_type="generic_fpu" ;; - i386-apple-darwin10*) + i?86-apple-darwin10*) { $as_echo "$as_me:${as_lineno-$LINENO}: checking if CPU type supports x86-64" >&5 $as_echo_n "checking if CPU type supports x86-64... " >&6; } case `sysctl -n hw.optional.x86_64` in @@ -14947,7 +14947,7 @@ ;; esac ;; - i386-apple-darwin*) + i?86-apple-darwin*) cpu_type="x86" newoldwritesample=enabled ;; @@ -20241,7 +20241,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by mpg123 $as_me 1.25.3, which was +This file was extended by mpg123 $as_me 1.25.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -20307,7 +20307,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -mpg123 config.status 1.25.3 +mpg123 config.status 1.25.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.3/configure.ac new/mpg123-1.25.4/configure.ac --- old/mpg123-1.25.3/configure.ac 2017-07-18 09:21:17.000000000 +0200 +++ new/mpg123-1.25.4/configure.ac 2017-07-24 11:52:33.000000000 +0200 @@ -8,7 +8,7 @@ AC_PREREQ(2.57) dnl ############# Initialisation -AC_INIT([mpg123], [1.25.3], [[email protected]]) +AC_INIT([mpg123], [1.25.4], [[email protected]]) dnl Increment API_VERSION when the API gets changes (new functions). dnl libmpg123 @@ -586,7 +586,7 @@ *-*-linux*|*-*-kfreebsd*-gnu) cpu_type="generic_fpu" ;; - i386-apple-darwin10*) + i?86-apple-darwin10*) AC_MSG_CHECKING([if CPU type supports x86-64]) case `sysctl -n hw.optional.x86_64` in 1) @@ -600,7 +600,7 @@ ;; esac ;; - i386-apple-darwin*) + i?86-apple-darwin*) cpu_type="x86" newoldwritesample=enabled ;; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.3/mpg123.spec new/mpg123-1.25.4/mpg123.spec --- old/mpg123-1.25.3/mpg123.spec 2017-07-18 09:22:09.000000000 +0200 +++ new/mpg123-1.25.4/mpg123.spec 2017-07-24 11:53:32.000000000 +0200 @@ -3,7 +3,7 @@ # - devel packages for alsa, sdl, etc... to build the respective output modules. Summary: The fast console mpeg audio decoder/player. Name: mpg123 -Version: 1.25.3 +Version: 1.25.4 Release: 1 URL: http://www.mpg123.org/ License: GPL diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.3/src/libmpg123/id3.c new/mpg123-1.25.4/src/libmpg123/id3.c --- old/mpg123-1.25.3/src/libmpg123/id3.c 2017-07-18 09:18:46.000000000 +0200 +++ new/mpg123-1.25.4/src/libmpg123/id3.c 2017-07-24 11:52:08.000000000 +0200 @@ -250,6 +250,7 @@ */ static void store_id3_text(mpg123_string *sb, unsigned char *source, size_t source_size, const int noquiet, const int notranslate) { + unsigned char encoding; if(!source_size) { debug("Empty id3 data!"); @@ -271,26 +272,29 @@ return; } - id3_to_utf8(sb, source[0], source+1, source_size-1, noquiet); + encoding = source[0]; + if(encoding > mpg123_id3_enc_max) + { + if(noquiet) + error1("Unknown text encoding %u, I take no chances, sorry!", encoding); + + mpg123_free_string(sb); + return; + } + id3_to_utf8(sb, encoding, source+1, source_size-1, noquiet); if(sb->fill) debug1("UTF-8 string (the first one): %s", sb->p); else if(noquiet) error("unable to convert string to UTF-8 (out of memory, junk input?)!"); } /* On error, sb->size is 0. */ +/* Also, encoding has been checked already! */ void id3_to_utf8(mpg123_string *sb, unsigned char encoding, const unsigned char *source, size_t source_size, int noquiet) { unsigned int bwidth; debug1("encoding: %u", encoding); /* A note: ID3v2.3 uses UCS-2 non-variable 16bit encoding, v2.4 uses UTF16. UTF-16 uses a reserved/private range in UCS-2 to add the magic, so we just always treat it as UTF. */ - if(encoding > mpg123_id3_enc_max) - { - if(noquiet) error1("Unknown text encoding %u, I take no chances, sorry!", encoding); - - mpg123_free_string(sb); - return; - } bwidth = encoding_widths[encoding]; /* Hack! I've seen a stray zero byte before BOM. Is that supposed to happen? */ if(encoding != mpg123_id3_utf16be) /* UTF16be _can_ beging with a null byte! */ @@ -309,6 +313,7 @@ text_converters[encoding](sb, source, source_size, noquiet); } +/* You have checked encoding to be in the range already. */ static unsigned char *next_text(unsigned char* prev, unsigned char encoding, size_t limit) { unsigned char *text = prev; @@ -379,6 +384,12 @@ debug("Empty id3 data!"); return; } + if(encoding > mpg123_id3_enc_max) + { + if(NOQUIET) + error1("Unknown text encoding %u, I take no chances, sorry!", encoding); + return; + } if(VERBOSE4) fprintf(stderr, "Note: Storing picture from APIC frame.\n"); /* decompose realdata accordingly */ i = add_picture(fr); @@ -447,6 +458,12 @@ if(NOQUIET) error1("Invalid frame size of %"SIZE_P" (too small for anything).", (size_p)realsize); return; } + if(encoding > mpg123_id3_enc_max) + { + if(NOQUIET) + error1("Unknown text encoding %u, I take no chances, sorry!", encoding); + return; + } xcom = (tt == uslt ? add_text(fr) : add_comment(fr)); if(VERBOSE4) fprintf(stderr, "Note: Storing comment from %s encoding\n", enc_name(realdata[0])); if(xcom == NULL) @@ -529,6 +546,12 @@ if(NOQUIET) error1("Invalid frame size of %lu (too small for anything).", (unsigned long)realsize); return; } + if(encoding > mpg123_id3_enc_max) + { + if(NOQUIET) + error1("Unknown text encoding %u, I take no chances, sorry!", encoding); + return; + } text = next_text(descr, encoding, realsize-(descr-realdata)); if(VERBOSE4) fprintf(stderr, "Note: Storing extra from %s encoding\n", enc_name(realdata[0])); if(text == NULL) @@ -878,7 +901,9 @@ debug2("ID3v2: de-unsync made %lu out of %lu bytes", realsize, framesize); } pos = 0; /* now at the beginning again... */ - switch(tt) + /* Avoid reading over boundary, even if there is a */ + /* zero byte of padding for safety. */ + if(realsize) switch(tt) { case comment: case uslt: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.3/src/libmpg123/stringbuf.c new/mpg123-1.25.4/src/libmpg123/stringbuf.c --- old/mpg123-1.25.3/src/libmpg123/stringbuf.c 2017-07-18 09:18:46.000000000 +0200 +++ new/mpg123-1.25.4/src/libmpg123/stringbuf.c 2017-07-24 11:52:02.000000000 +0200 @@ -1,7 +1,8 @@ /* stringbuf: mimicking a bit of C++ to more safely handle strings - copyright 2006-10 by the mpg123 project - free software under the terms of the LGPL 2.1 + copyright 2006-17 by the mpg123 project + - free software under the terms of the LGPL 2.1 see COPYING and AUTHORS files in distribution or http://mpg123.org initially written by Thomas Orgis */ @@ -86,7 +87,8 @@ if(mpg123_resize_string(to, fill)) { - memcpy(to->p, text, fill); + if(fill) /* Avoid memcpy(NULL, NULL, 0) */ + memcpy(to->p, text, fill); to->fill = fill; return 1; }
