commit mpg123 for openSUSE:Factory

28 Jul 2017

Hello community,

here is the log from the commit of package mpg123 for openSUSE:Factory checked in at 2017-07-28 09:42:37
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mpg123 (Old)
 and      /work/SRC/openSUSE:Factory/.mpg123.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "mpg123"

Fri Jul 28 09:42:37 2017 rev:6 rq:512250 version:1.25.4

Changes:
--------

--- /work/SRC/openSUSE:Factory/mpg123/mpg123.changes	2017-07-23 12:13:35.818549601 +0200
+++ /work/SRC/openSUSE:Factory/.mpg123.new/mpg123.changes	2017-07-28 09:43:32.486924071 +0200
@@ -1,0 +2,9 @@
+Mon Jul 24 11:51:43 UTC 2017 - aloisio@gmx.com
+
+- Update to version 1.25.4
+  libmpg123:
+  * Prevent harmless call to memcpy(NULL, NULL, 0).
+  * More early checking of ID3v2 encoding values to avoid bogus
+    text being stored.
+
+-------------------------------------------------------------------

Old:
----
  mpg123-1.25.3.tar.bz2
  mpg123-1.25.3.tar.bz2.sig

New:
----
  mpg123-1.25.4.tar.bz2
  mpg123-1.25.4.tar.bz2.sig

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ mpg123.spec ++++++
--- /var/tmp/diff_new_pack.HW96tG/_old	2017-07-28 09:43:33.038846336 +0200
+++ /var/tmp/diff_new_pack.HW96tG/_new	2017-07-28 09:43:33.042845772 +0200
@@ -17,7 +17,7 @@
 
 
 Name:           mpg123
-Version:        1.25.3
+Version:        1.25.4
 Release:        0
 Summary:        Console MPEG audio player and decoder library
 License:        LGPL-2.1

++++++ mpg123-1.25.3.tar.bz2 -> mpg123-1.25.4.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.3/NEWS new/mpg123-1.25.4/NEWS
--- old/mpg123-1.25.3/NEWS	2017-07-18 09:19:40.000000000 +0200
+++ new/mpg123-1.25.4/NEWS	2017-07-24 11:52:26.000000000 +0200
@@ -1,3 +1,11 @@
+1.25.4
+------
+- Better configure checks for i?86-apple-darwin (bug 253).
+- libmpg123:
+-- Prevent harmless call to memcpy(NULL, NULL, 0).
+-- More early checking of ID3v2 encoding values to avoid bogus text being
+   stored.
+
 1.25.3
 ------
 - libmpg123:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.3/configure new/mpg123-1.25.4/configure
--- old/mpg123-1.25.3/configure	2017-07-18 09:21:56.000000000 +0200
+++ new/mpg123-1.25.4/configure	2017-07-24 11:53:18.000000000 +0200
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for mpg123 1.25.3.
+# Generated by GNU Autoconf 2.69 for mpg123 1.25.4.
 #
 # Report bugs to <maintainer@mpg123.org>.
 #
@@ -590,8 +590,8 @@
 # Identity of this package.
 PACKAGE_NAME='mpg123'
 PACKAGE_TARNAME='mpg123'
-PACKAGE_VERSION='1.25.3'
-PACKAGE_STRING='mpg123 1.25.3'
+PACKAGE_VERSION='1.25.4'
+PACKAGE_STRING='mpg123 1.25.4'
 PACKAGE_BUGREPORT='maintainer@mpg123.org'
 PACKAGE_URL=''
 
@@ -1567,7 +1567,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures mpg123 1.25.3 to adapt to many kinds of systems.
+\`configure' configures mpg123 1.25.4 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1637,7 +1637,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of mpg123 1.25.3:";;
+     short | recursive ) echo "Configuration of mpg123 1.25.4:";;
    esac
   cat <<\_ACEOF
 
@@ -1863,7 +1863,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-mpg123 configure 1.25.3
+mpg123 configure 1.25.4
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2469,7 +2469,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by mpg123 $as_me 1.25.3, which was
+It was created by mpg123 $as_me 1.25.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3425,7 +3425,7 @@
 
 # Define the identity of the package.
  PACKAGE='mpg123'
- VERSION='1.25.3'
+ VERSION='1.25.4'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -14930,7 +14930,7 @@
   *-*-linux*|*-*-kfreebsd*-gnu)
     cpu_type="generic_fpu"
   ;;
-  i386-apple-darwin10*)
+  i?86-apple-darwin10*)
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking if CPU type supports x86-64" >&5
 $as_echo_n "checking if CPU type supports x86-64... " >&6; }
     case `sysctl -n hw.optional.x86_64` in
@@ -14947,7 +14947,7 @@
       ;;
     esac
   ;;
-  i386-apple-darwin*)
+  i?86-apple-darwin*)
     cpu_type="x86"
     newoldwritesample=enabled
   ;;
@@ -20241,7 +20241,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by mpg123 $as_me 1.25.3, which was
+This file was extended by mpg123 $as_me 1.25.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -20307,7 +20307,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-mpg123 config.status 1.25.3
+mpg123 config.status 1.25.4
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.3/configure.ac new/mpg123-1.25.4/configure.ac
--- old/mpg123-1.25.3/configure.ac	2017-07-18 09:21:17.000000000 +0200
+++ new/mpg123-1.25.4/configure.ac	2017-07-24 11:52:33.000000000 +0200
@@ -8,7 +8,7 @@
 AC_PREREQ(2.57)
 
 dnl ############# Initialisation
-AC_INIT([mpg123], [1.25.3], [maintainer@mpg123.org])
+AC_INIT([mpg123], [1.25.4], [maintainer@mpg123.org])
 dnl Increment API_VERSION when the API gets changes (new functions).
 
 dnl libmpg123
@@ -586,7 +586,7 @@
   *-*-linux*|*-*-kfreebsd*-gnu)
     cpu_type="generic_fpu"
   ;;
-  i386-apple-darwin10*)
+  i?86-apple-darwin10*)
     AC_MSG_CHECKING([if CPU type supports x86-64])
     case `sysctl -n hw.optional.x86_64` in
       1)
@@ -600,7 +600,7 @@
       ;;
     esac
   ;;
-  i386-apple-darwin*)
+  i?86-apple-darwin*)
     cpu_type="x86"
     newoldwritesample=enabled
   ;;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.3/mpg123.spec new/mpg123-1.25.4/mpg123.spec
--- old/mpg123-1.25.3/mpg123.spec	2017-07-18 09:22:09.000000000 +0200
+++ new/mpg123-1.25.4/mpg123.spec	2017-07-24 11:53:32.000000000 +0200
@@ -3,7 +3,7 @@
 # - devel packages for alsa, sdl, etc... to build the respective output modules.
 Summary:	The fast console mpeg audio decoder/player.
 Name:		mpg123
-Version:	1.25.3
+Version:	1.25.4
 Release:	1
 URL:		http://www.mpg123.org/
 License:	GPL
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.3/src/libmpg123/id3.c new/mpg123-1.25.4/src/libmpg123/id3.c
--- old/mpg123-1.25.3/src/libmpg123/id3.c	2017-07-18 09:18:46.000000000 +0200
+++ new/mpg123-1.25.4/src/libmpg123/id3.c	2017-07-24 11:52:08.000000000 +0200
@@ -250,6 +250,7 @@
 */
 static void store_id3_text(mpg123_string *sb, unsigned char *source, size_t source_size, const int noquiet, const int notranslate)
 {
+	unsigned char encoding;
 	if(!source_size)
 	{
 		debug("Empty id3 data!");
@@ -271,26 +272,29 @@
 		return;
 	}
 
-	id3_to_utf8(sb, source[0], source+1, source_size-1, noquiet);
+	encoding = source[0];
+	if(encoding > mpg123_id3_enc_max)
+	{
+		if(noquiet)
+			error1("Unknown text encoding %u, I take no chances, sorry!", encoding);
+
+		mpg123_free_string(sb);
+		return;
+	}
+	id3_to_utf8(sb, encoding, source+1, source_size-1, noquiet);
 
 	if(sb->fill) debug1("UTF-8 string (the first one): %s", sb->p);
 	else if(noquiet) error("unable to convert string to UTF-8 (out of memory, junk input?)!");
 }
 
 /* On error, sb->size is 0. */
+/* Also, encoding has been checked already! */
 void id3_to_utf8(mpg123_string *sb, unsigned char encoding, const unsigned char *source, size_t source_size, int noquiet)
 {
 	unsigned int bwidth;
 	debug1("encoding: %u", encoding);
 	/* A note: ID3v2.3 uses UCS-2 non-variable 16bit encoding, v2.4 uses UTF16.
 	   UTF-16 uses a reserved/private range in UCS-2 to add the magic, so we just always treat it as UTF. */
-	if(encoding > mpg123_id3_enc_max)
-	{
-		if(noquiet) error1("Unknown text encoding %u, I take no chances, sorry!", encoding);
-
-		mpg123_free_string(sb);
-		return;
-	}
 	bwidth = encoding_widths[encoding];
 	/* Hack! I've seen a stray zero byte before BOM. Is that supposed to happen? */
 	if(encoding != mpg123_id3_utf16be) /* UTF16be _can_ beging with a null byte! */
@@ -309,6 +313,7 @@
 	text_converters[encoding](sb, source, source_size, noquiet);
 }
 
+/* You have checked encoding to be in the range already. */
 static unsigned char *next_text(unsigned char* prev, unsigned char encoding, size_t limit)
 {
 	unsigned char *text = prev;
@@ -379,6 +384,12 @@
 		debug("Empty id3 data!");
 		return;
 	}
+	if(encoding > mpg123_id3_enc_max)
+	{
+		if(NOQUIET)
+			error1("Unknown text encoding %u, I take no chances, sorry!", encoding);
+		return;
+	}
 	if(VERBOSE4) fprintf(stderr, "Note: Storing picture from APIC frame.\n");
 	/* decompose realdata accordingly */
 	i = add_picture(fr);
@@ -447,6 +458,12 @@
 		if(NOQUIET) error1("Invalid frame size of %"SIZE_P" (too small for anything).", (size_p)realsize);
 		return;
 	}
+	if(encoding > mpg123_id3_enc_max)
+	{
+		if(NOQUIET)
+			error1("Unknown text encoding %u, I take no chances, sorry!", encoding);
+		return;
+	}
 	xcom = (tt == uslt ? add_text(fr) : add_comment(fr));
 	if(VERBOSE4) fprintf(stderr, "Note: Storing comment from %s encoding\n", enc_name(realdata[0]));
 	if(xcom == NULL)
@@ -529,6 +546,12 @@
 		if(NOQUIET) error1("Invalid frame size of %lu (too small for anything).", (unsigned long)realsize);
 		return;
 	}
+	if(encoding > mpg123_id3_enc_max)
+	{
+		if(NOQUIET)
+			error1("Unknown text encoding %u, I take no chances, sorry!", encoding);
+		return;
+	}
 	text = next_text(descr, encoding, realsize-(descr-realdata));
 	if(VERBOSE4) fprintf(stderr, "Note: Storing extra from %s encoding\n", enc_name(realdata[0]));
 	if(text == NULL)
@@ -878,7 +901,9 @@
 									debug2("ID3v2: de-unsync made %lu out of %lu bytes", realsize, framesize);
 								}
 								pos = 0; /* now at the beginning again... */
-								switch(tt)
+								/* Avoid reading over boundary, even if there is a */
+								/* zero byte of padding for safety. */
+								if(realsize) switch(tt)
 								{
 									case comment:
 									case uslt:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.3/src/libmpg123/stringbuf.c new/mpg123-1.25.4/src/libmpg123/stringbuf.c
--- old/mpg123-1.25.3/src/libmpg123/stringbuf.c	2017-07-18 09:18:46.000000000 +0200
+++ new/mpg123-1.25.4/src/libmpg123/stringbuf.c	2017-07-24 11:52:02.000000000 +0200
@@ -1,7 +1,8 @@
 /*
 	stringbuf: mimicking a bit of C++ to more safely handle strings
 
-	copyright 2006-10 by the mpg123 project - free software under the terms of the LGPL 2.1
+	copyright 2006-17 by the mpg123 project
+	    - free software under the terms of the LGPL 2.1
 	see COPYING and AUTHORS files in distribution or http://mpg123.org
 	initially written by Thomas Orgis
 */
@@ -86,7 +87,8 @@
 
 	if(mpg123_resize_string(to, fill))
 	{
-		memcpy(to->p, text, fill);
+		if(fill) /* Avoid memcpy(NULL, NULL, 0) */
+			memcpy(to->p, text, fill);
 		to->fill = fill;
 		return 1;
 	}

    

commit mpg123 for openSUSE:Factory

root＠hilbert.suse.de