media-libs/libquicktime: Add fix for CVE-2016-2399

Package-Manager: Portage-2.3.4, Repoman-2.3.2

2 files changed, 148 insertions, 0 deletions

diff --git a/media-libs/libquicktime/files/CVE-2016-2399.patch b/media-libs/libquicktime/files/CVE-2016-2399.patch
new file mode 100644
index 000000000000..a1737c0dc0a9
--- /dev/null
+++ b/media-libs/libquicktime/files/CVE-2016-2399.patch
@@ -0,0 +1,25 @@
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855099
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2399
+
+diff --git a/src/util.c b/src/util.c
+index d8dc3c3..9422fc5 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -340,9 +340,14 @@ int64_t quicktime_byte_position(quicktime_t *file)
+ 
+ void quicktime_read_pascal(quicktime_t *file, char *data)
+ {
+-	char len = quicktime_read_char(file);
+-	quicktime_read_data(file, (uint8_t*)data, len);
+-	data[(int)len] = 0;
++	int len = quicktime_read_char(file);
++	if ((len > 0) && (len < 256)) {
++          /* data[] is expected to be 256 bytes long */
++          quicktime_read_data(file, (uint8_t*)data, len);
++          data[len] = 0;
++        } else {
++          data[0] = 0;
++        }
+ }
+ 
+ void quicktime_write_pascal(quicktime_t *file, char *data)
diff --git a/media-libs/libquicktime/libquicktime-1.2.4-r2.ebuild b/media-libs/libquicktime/libquicktime-1.2.4-r2.ebuild
new file mode 100644
index 000000000000..eb38c001faf1
--- /dev/null
+++ b/media-libs/libquicktime/libquicktime-1.2.4-r2.ebuild
@@ -0,0 +1,123 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+inherit libtool eutils multilib-minimal
+
+DESCRIPTION="An enhanced version of the quicktime4linux library"
+HOMEPAGE="http://libquicktime.sourceforge.net/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 ~amd64-fbsd ~x86-fbsd"
+IUSE="aac alsa doc dv encode ffmpeg gtk jpeg lame libav cpu_flags_x86_mmx opengl png schroedinger static-libs vorbis X x264"
+
+RDEPEND=">=virtual/libintl-0-r1[${MULTILIB_USEDEP}]
+	sys-libs/zlib:=
+	aac? (
+		>=media-libs/faad2-2.7-r3[${MULTILIB_USEDEP}]
+		encode? ( >=media-libs/faac-1.28-r3[${MULTILIB_USEDEP}] )
+		)
+	alsa? ( >=media-libs/alsa-lib-1.0.20 )
+	dv? ( >=media-libs/libdv-1.0.0-r3[${MULTILIB_USEDEP}] )
+	ffmpeg? (
+		libav? ( media-video/libav:0=[${MULTILIB_USEDEP}] )
+		!libav? ( media-video/ffmpeg:0=[${MULTILIB_USEDEP}] )
+	)
+	gtk? ( x11-libs/gtk+:2 )
+	jpeg? ( >=virtual/jpeg-0-r2:0[${MULTILIB_USEDEP}] )
+	lame? ( >=media-sound/lame-3.99.5-r1[${MULTILIB_USEDEP}] )
+	opengl? ( virtual/opengl )
+	png? ( >=media-libs/libpng-1.6.10:0[${MULTILIB_USEDEP}] )
+	schroedinger? ( >=media-libs/schroedinger-1.0.11-r1[${MULTILIB_USEDEP}] )
+	vorbis? (
+		>=media-libs/libogg-1.3.0[${MULTILIB_USEDEP}]
+		>=media-libs/libvorbis-1.3.3-r1[${MULTILIB_USEDEP}]
+		)
+	X? (
+		x11-libs/libX11
+		x11-libs/libXaw
+		x11-libs/libXext
+		x11-libs/libXt
+		x11-libs/libXv
+		)
+	x264? ( >=media-libs/x264-0.0.20130506[${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+	>=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
+	sys-devel/gettext
+	doc? ( app-doc/doxygen )
+	X? ( >=x11-proto/videoproto-2.3.1-r1[${MULTILIB_USEDEP}] )"
+
+REQUIRED_USE="opengl? ( X )"
+
+DOCS="ChangeLog README TODO"
+
+src_prepare() {
+	epatch "${FILESDIR}"/${P}+libav-9.patch \
+		"${FILESDIR}"/${P}-ffmpeg2.patch \
+		"${FILESDIR}/CVE-2016-2399.patch"
+	if has_version '>=media-video/ffmpeg-2.9' ||
+		has_version '>=media-video/libav-12'; then
+		epatch "${FILESDIR}"/${P}-ffmpeg29.patch
+	fi
+
+	for FILE in lqt_ffmpeg.c video.c audio.c ; do
+		sed -i -e "s:CODEC_ID_:AV_&:g" "${S}/plugins/ffmpeg/${FILE}" || die
+	done
+
+	elibtoolize # Required for .so versioning on g/fbsd
+}
+
+multilib_src_configure() {
+	# utils use: alsa, opengl, gtk+, X
+
+	ECONF_SOURCE=${S} \
+	econf \
+		--enable-gpl \
+		$(use_enable static-libs static) \
+		$(use_enable cpu_flags_x86_mmx asm) \
+		$(multilib_native_use_with doc doxygen) \
+		$(use vorbis || echo --without-vorbis) \
+		$(use_with lame) \
+		$(multilib_native_use_with X x) \
+		$(multilib_native_use_with opengl) \
+		$(multilib_native_use_with alsa) \
+		$(multilib_native_use_with gtk) \
+		$(use_with dv libdv) \
+		$(use_with jpeg libjpeg) \
+		$(use_with ffmpeg) \
+		$(use_with png libpng) \
+		$(use_with schroedinger) \
+		$(use_with aac faac) \
+		$(use encode || echo --without-faac) \
+		$(use_with aac faad2) \
+		$(use_with x264) \
+		--without-cpuflags
+
+	if ! multilib_is_native_abi; then
+		# disable building utilities
+		sed -i -e '/SUBDIRS =/s:utils::' Makefile || die
+	fi
+}
+
+multilib_src_install_all() {
+	einstalldocs
+	prune_libtool_files --all
+
+	# Compatibility with software that uses quicktime prefix, but
+	# don't do that when building for Darwin/MacOS
+	[[ ${CHOST} != *-darwin* ]] && dosym /usr/include/lqt /usr/include/quicktime
+}
+
+pkg_preinst() {
+	if [[ -d /usr/include/quicktime && ! -L /usr/include/quicktime ]]; then
+		elog "For compatibility with other quicktime libraries, ${PN} was"
+		elog "going to create a /usr/include/quicktime symlink, but for some"
+		elog "reason that is a directory on your system."
+
+		elog "Please check that is empty, and remove it, or submit a bug"
+		elog "telling us which package owns the directory."
+		die "/usr/include/quicktime is a directory."
+	fi
+}