fixes integer overflow by processing certain PAF audio files (#721239)

libsndfile-1.0.17-r1610.patch

@@ -0,0 +1,56 @@
+diff -U0 libsndfile-1.0.17/ChangeLog.r1610 libsndfile-1.0.17/ChangeLog
+--- libsndfile-1.0.17/ChangeLog.r1610	2006-08-31 11:39:36.000000000 +0200
++++ libsndfile-1.0.17/ChangeLog	2011-07-14 14:32:34.216206494 +0200
+@@ -0,0 +1,6 @@
++2011-07-05  Erik de Castro Lopo  <erikd AT mega-nerd DOT com>
++
++    * src/paf.c src/common.h src/sndfile.c
++    Fix for Secunia Advisory SA45125, heap overflow (heap gets overwritten with
++    byte value of 0) due to integer overflow if PAF file handler.
++
+diff -up libsndfile-1.0.17/src/common.h.r1610 libsndfile-1.0.17/src/common.h
+--- libsndfile-1.0.17/src/common.h.r1610	2006-08-31 11:22:07.000000000 +0200
++++ libsndfile-1.0.17/src/common.h	2011-07-14 14:29:38.309145864 +0200
+@@ -454,6 +454,7 @@ enum
+ 	SFE_PAF_VERSION,
+ 	SFE_PAF_UNKNOWN_FORMAT,
+ 	SFE_PAF_SHORT_HEADER,
++	SFE_PAF_BAD_CHANNELS,
+ 
+ 	SFE_SVX_NO_FORM,
+ 	SFE_SVX_NO_BODY,
+diff -up libsndfile-1.0.17/src/paf.c.r1610 libsndfile-1.0.17/src/paf.c
+--- libsndfile-1.0.17/src/paf.c.r1610	2006-08-31 11:22:07.000000000 +0200
++++ libsndfile-1.0.17/src/paf.c	2011-07-14 14:29:38.309145864 +0200
+@@ -163,6 +163,9 @@ paf_read_header	(SF_PRIVATE *psf)
+ {	PAF_FMT		paf_fmt ;
+ 	int			marker ;
+ 
++	if (psf->filelength < PAF_HEADER_LENGTH)
++		return SFE_PAF_SHORT_HEADER ;
++
+ 	memset (&paf_fmt, 0, sizeof (paf_fmt)) ;
+ 	psf_binheader_readf (psf, "pm", 0, &marker) ;
+ 
+@@ -199,8 +202,8 @@ paf_read_header	(SF_PRIVATE *psf)
+ 		psf->endian = SF_ENDIAN_BIG ;
+ 		} ;
+ 
+-	if (psf->filelength < PAF_HEADER_LENGTH)
+-		return SFE_PAF_SHORT_HEADER ;
++	if (paf_fmt.channels > SF_MAX_CHANNELS)
++		return SFE_PAF_BAD_CHANNELS ;
+ 
+ 	psf->datalength = psf->filelength - psf->dataoffset ;
+ 
+diff -up libsndfile-1.0.17/src/sndfile.c.r1610 libsndfile-1.0.17/src/sndfile.c
+--- libsndfile-1.0.17/src/sndfile.c.r1610	2006-08-31 11:22:07.000000000 +0200
++++ libsndfile-1.0.17/src/sndfile.c	2011-07-14 14:29:38.311145864 +0200
+@@ -146,6 +146,7 @@ ErrorStruct SndfileErrors [] =
+ 	{	SFE_PAF_VERSION			, "Error in PAF file, bad version." },
+ 	{	SFE_PAF_UNKNOWN_FORMAT	, "Error in PAF file, unknown format." },
+ 	{	SFE_PAF_SHORT_HEADER	, "Error in PAF file. File shorter than minimal header." },
++	{	SFE_PAF_BAD_CHANNELS	, "Error in PAF file. Bad channel count." },
+ 
+ 	{	SFE_SVX_NO_FORM			, "Error in 8SVX / 16SV file, no 'FORM' marker." },
+ 	{	SFE_SVX_NO_BODY			, "Error in 8SVX / 16SV file, no 'BODY' marker." },

libsndfile.spec

@@ -1,7 +1,7 @@
 Summary:	Library for reading and writing sound files
 Name:		libsndfile
 Version:	1.0.17
-Release:	4%{?dist}
+Release:	5%{?dist}
 License:	LGPL
 Group:		System Environment/Libraries
 URL:		http://www.mega-nerd.com/libsndfile/
@@ -16,6 +16,9 @@ Patch2:		libsndfile-1.0.17-channels-per-frame-overflow.patch
 #http://www.mega-nerd.com/erikd/Blog/CodeHacking/libsndfile/rel_20.html
 Patch3:		voc-aiff-patch-1.0.17.diff
 
+#from upstream, for libsndfile < 1.0.25, crash by overflow with some PAF files (#721239)
+Patch4:         libsndfile-1.0.17-r1610.patch
+
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n)
 
 BuildRequires:	alsa-lib-devel
@@ -45,6 +48,7 @@ This package contains files needed to develop with libsndfile.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 
 %build
 %configure --disable-dependency-tracking
@@ -92,6 +96,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Thu Jul 14 2011 Michal Hlavinka <mhlavink@redhat.com> - 1.0.17-5
+- fixes integer overflow by processing certain PAF audio files (#721239)
+
 * Thu Dec 23 2010 Michal Hlavinka <mhlavink@redhat.com> - 1.0.17-4
 - fix CVE-2009-1788 : VOC file heap based buffer overflow (#502657)
 - fix CVE-2009-1791 : AIFF file heap based buffer overflow (#502658)