pulseaudio: update to 6.0
Signed-off-by: Peter Wagner <tripolar@gmx.at>
This commit is contained in:
Peter Wagner
parent
2ce8100c3f
commit
43b06049c3
3 changed files with 5 additions and 62 deletions
|
|
@ -8,16 +8,16 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=pulseaudio
|
||||
PKG_VERSION:=5.0
|
||||
PKG_RELEASE:=2
|
||||
PKG_VERSION:=6.0
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
|
||||
PKG_SOURCE_URL:=http://freedesktop.org/software/pulseaudio/releases/
|
||||
PKG_MD5SUM:=c43749838612f4860465e83ed62ca38e
|
||||
PKG_MD5SUM:=b691e83b7434c678dffacfa3a027750e
|
||||
PKG_LICENSE:=LGPL-2.1+
|
||||
PKG_LICENSE_FILES:=GPL LICENSE
|
||||
|
||||
PKG_BUILD_DIR=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
|
||||
PKG_BUILD_DIR=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
|
||||
PKG_BUILD_DEPENDS:=intltool/host
|
||||
|
||||
PKG_FIXUP:=autoreconf
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
--- a/src/pulsecore/memblock.c
|
||||
+++ b/src/pulsecore/memblock.c
|
||||
@@ -57,7 +57,7 @@
|
||||
@@ -55,7 +55,7 @@
|
||||
* stored in SHM and our OS does not commit the memory before we use
|
||||
* it for the first time. */
|
||||
#define PA_MEMPOOL_SLOTS_MAX 1024
|
||||
|
|
|
|||
|
|
@ -1,57 +0,0 @@
|
|||
From 26b9d22dd24c17eb118d0205bf7b02b75d435e3c Mon Sep 17 00:00:00 2001
|
||||
From: "Alexander E. Patrakov" <patrakov@gmail.com>
|
||||
Date: Thu, 5 Jun 2014 22:29:25 +0600
|
||||
Subject: [PATCH] rtp-recv: fix crash on empty UDP packets (CVE-2014-3970)
|
||||
|
||||
On FIONREAD returning 0 bytes, we cannot return success, as the caller
|
||||
(rtpoll_work_cb in module-rtp-recv.c) would then try to
|
||||
pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger
|
||||
an assertion.
|
||||
|
||||
Also we have to read out the possible empty packet from the socket, so
|
||||
that the kernel doesn't tell us again and again about it.
|
||||
|
||||
Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com>
|
||||
---
|
||||
src/modules/rtp/rtp.c | 25 +++++++++++++++++++++++--
|
||||
1 file changed, 23 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c
|
||||
index 570737e..7b75e0e 100644
|
||||
--- a/src/modules/rtp/rtp.c
|
||||
+++ b/src/modules/rtp/rtp.c
|
||||
@@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct
|
||||
goto fail;
|
||||
}
|
||||
|
||||
- if (size <= 0)
|
||||
- return 0;
|
||||
+ if (size <= 0) {
|
||||
+ /* size can be 0 due to any of the following reasons:
|
||||
+ *
|
||||
+ * 1. Somebody sent us a perfectly valid zero-length UDP packet.
|
||||
+ * 2. Somebody sent us a UDP packet with a bad CRC.
|
||||
+ *
|
||||
+ * It is unknown whether size can actually be less than zero.
|
||||
+ *
|
||||
+ * In the first case, the packet has to be read out, otherwise the
|
||||
+ * kernel will tell us again and again about it, thus preventing
|
||||
+ * reception of any further packets. So let's just read it out
|
||||
+ * now and discard it later, when comparing the number of bytes
|
||||
+ * received (0) with the number of bytes wanted (1, see below).
|
||||
+ *
|
||||
+ * In the second case, recvmsg() will fail, thus allowing us to
|
||||
+ * return the error.
|
||||
+ *
|
||||
+ * Just to avoid passing zero-sized memchunks and NULL pointers to
|
||||
+ * recvmsg(), let's force allocation of at least one byte by setting
|
||||
+ * size to 1.
|
||||
+ */
|
||||
+ size = 1;
|
||||
+ }
|
||||
|
||||
if (c->memchunk.length < (unsigned) size) {
|
||||
size_t l;
|
||||
--
|
||||
2.0.0
|
||||
|
||||
Loading…
Reference in a new issue