Browse Source

pulseaudio: update to 6.0

Signed-off-by: Peter Wagner <tripolar@gmx.at>
lilik-openwrt-22.03
Peter Wagner 10 years ago
parent
commit
43b06049c3
3 changed files with 5 additions and 62 deletions
  1. +4
    -4
      sound/pulseaudio/Makefile
  2. +1
    -1
      sound/pulseaudio/patches/001-no_default_64mb_alloc.patch
  3. +0
    -57
      sound/pulseaudio/patches/002-rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-3970.patch

+ 4
- 4
sound/pulseaudio/Makefile View File

@ -8,16 +8,16 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=pulseaudio
PKG_VERSION:=5.0
PKG_RELEASE:=2
PKG_VERSION:=6.0
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=http://freedesktop.org/software/pulseaudio/releases/
PKG_MD5SUM:=c43749838612f4860465e83ed62ca38e
PKG_MD5SUM:=b691e83b7434c678dffacfa3a027750e
PKG_LICENSE:=LGPL-2.1+
PKG_LICENSE_FILES:=GPL LICENSE
PKG_BUILD_DIR=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
PKG_BUILD_DIR=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
PKG_BUILD_DEPENDS:=intltool/host
PKG_FIXUP:=autoreconf


+ 1
- 1
sound/pulseaudio/patches/001-no_default_64mb_alloc.patch View File

@ -1,6 +1,6 @@
--- a/src/pulsecore/memblock.c
+++ b/src/pulsecore/memblock.c
@@ -57,7 +57,7 @@
@@ -55,7 +55,7 @@
* stored in SHM and our OS does not commit the memory before we use
* it for the first time. */
#define PA_MEMPOOL_SLOTS_MAX 1024


+ 0
- 57
sound/pulseaudio/patches/002-rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-3970.patch View File

@ -1,57 +0,0 @@
From 26b9d22dd24c17eb118d0205bf7b02b75d435e3c Mon Sep 17 00:00:00 2001
From: "Alexander E. Patrakov" <patrakov@gmail.com>
Date: Thu, 5 Jun 2014 22:29:25 +0600
Subject: [PATCH] rtp-recv: fix crash on empty UDP packets (CVE-2014-3970)
On FIONREAD returning 0 bytes, we cannot return success, as the caller
(rtpoll_work_cb in module-rtp-recv.c) would then try to
pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger
an assertion.
Also we have to read out the possible empty packet from the socket, so
that the kernel doesn't tell us again and again about it.
Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com>
---
src/modules/rtp/rtp.c | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c
index 570737e..7b75e0e 100644
--- a/src/modules/rtp/rtp.c
+++ b/src/modules/rtp/rtp.c
@@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct
goto fail;
}
- if (size <= 0)
- return 0;
+ if (size <= 0) {
+ /* size can be 0 due to any of the following reasons:
+ *
+ * 1. Somebody sent us a perfectly valid zero-length UDP packet.
+ * 2. Somebody sent us a UDP packet with a bad CRC.
+ *
+ * It is unknown whether size can actually be less than zero.
+ *
+ * In the first case, the packet has to be read out, otherwise the
+ * kernel will tell us again and again about it, thus preventing
+ * reception of any further packets. So let's just read it out
+ * now and discard it later, when comparing the number of bytes
+ * received (0) with the number of bytes wanted (1, see below).
+ *
+ * In the second case, recvmsg() will fail, thus allowing us to
+ * return the error.
+ *
+ * Just to avoid passing zero-sized memchunks and NULL pointers to
+ * recvmsg(), let's force allocation of at least one byte by setting
+ * size to 1.
+ */
+ size = 1;
+ }
if (c->memchunk.length < (unsigned) size) {
size_t l;
--
2.0.0

Loading…
Cancel
Save