From 72d53ebcd9dcb526a006894952d67a42049bf226 Mon Sep 17 00:00:00 2001
From: Rex Dieter <rdieter@fedoraproject.org>
Date: Jan 12 2009 14:52:33 +0000
Subject: - backport security patch


---

diff --git a/amarok-1.4.10-aa_security.patch b/amarok-1.4.10-aa_security.patch
new file mode 100644
index 0000000..851041e
--- /dev/null
+++ b/amarok-1.4.10-aa_security.patch
@@ -0,0 +1,85 @@
+--- branches/stable/extragear/multimedia/amarok/src/metadata/audible/audibletag.cpp	2007/06/13 18:53:16	675130
++++ branches/stable/extragear/multimedia/amarok/src/metadata/audible/audibletag.cpp	2009/01/09 17:38:50	908415
+@@ -71,7 +71,8 @@
+ {
+     char buf[1023];
+     fseek(fp, OFF_PRODUCT_ID, SEEK_SET);
+-    fread(buf, strlen("product_id"), 1, fp);
++    if (fread(buf, strlen("product_id"), 1, fp) != 1)
++        return;
+     if(memcmp(buf, "product_id", strlen("product_id")))
+     {
+         buf[20]='\0';
+@@ -130,24 +131,65 @@
+ 
+ bool Audible::Tag::readTag( FILE *fp, char **name, char **value)
+ {
++    // arbitrary value that has to be smaller than 2^32-1 and that should be large enough for all tags                                                                                         
++    const uint32_t maxtaglen = 100000;    
++
+     uint32_t nlen;
+-    fread(&nlen, sizeof(nlen), 1, fp);
++    if (fread(&nlen, sizeof(nlen), 1, fp) != 1)
++        return false;
+     nlen = ntohl(nlen);
+     //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen);
+-    *name = new char[nlen+1];
+-    (*name)[nlen] = '\0';
++    if (nlen > maxtaglen)
++        return false;
+ 
+     uint32_t vlen;
+-    fread(&vlen, sizeof(vlen), 1, fp);
++    if (fread(&vlen, sizeof(vlen), 1, fp) != 1)
++        return false;
+     vlen = ntohl(vlen);
+     //fprintf(stderr, "tag len=%x\n", (unsigned)vlen);
++    if (vlen > maxtaglen)
++        return false;
++
++    *name = new char[nlen+1];
++    if (!*name)
++        return false;
++        
+     *value = new char[vlen+1];
++    if (!*value)
++    {
++        delete[] *name;
++        *name = 0;
++        return false;
++    }
++
++    (*name)[nlen] = '\0';
+     (*value)[vlen] = '\0';
+ 
+-    fread(*name, nlen, 1, fp);
+-    fread(*value, vlen, 1, fp);
++    if (fread(*name, nlen, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
++    if (fread(*value, vlen, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
+     char lasttag;
+-    fread(&lasttag, 1, 1, fp);
++    if (fread(&lasttag, 1, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
+     //fprintf(stderr, "%s: \"%s\"\n", *name, *value);
+ 
+     m_tagsEndOffset += 2 * 4 + nlen + vlen + 1;
diff --git a/amarok.spec b/amarok.spec
index 50d62f4..9bcea70 100644
--- a/amarok.spec
+++ b/amarok.spec
@@ -31,7 +31,7 @@
 Name:       amarok
 Summary:    Media player
 Version:    1.4.10
-Release:    1%{?dist}
+Release:    2%{?dist}
 
 Group: 	    Applications/Multimedia
 License:    GPLv2+
@@ -43,6 +43,10 @@ Patch1:     amarok-1.4.8-gcc43.patch
 # Use xdg-open to start the selected browser
 Patch2:     amarok-1.4.7-xdg.patch
 
+## upstream patches
+# security backport: http://websvn.kde.org/?view=rev&revision=908415
+Patch100:   amarok-1.4.10-aa_security.patch
+
 BuildRequires:  alsa-lib-devel
 BuildRequires:  desktop-file-utils
 BuildRequires:  esound-devel
@@ -143,6 +147,7 @@ use any of xmms' visualisation plugins with Amarok.
 
 %patch1 -p1 -b .gcc43
 %patch2 -p1 -b .xdg
+%patch100 -p4 -b .aa_security
 
 
 %build
@@ -304,6 +309,9 @@ rm -fr $RPM_BUILD_ROOT
 
 
 %changelog
+* Mon Jan 12 2009 Rex Dieter <rdieter@fedoraproject.org> - 1.4.10-2
+- backport security patch
+
 * Wed Aug 13 2008 Rex Dieter <rdieter@fedoraproject.org> - 1.4.10-1
 - amarok-1.4.10