fixes integer overflow by processing certain PAF audio files (#721239)
This commit is contained in:
parent
d5d84f0a46
commit
ae5575729f
|
@ -0,0 +1,56 @@
|
|||
diff -U0 libsndfile-1.0.17/ChangeLog.r1610 libsndfile-1.0.17/ChangeLog
|
||||
--- libsndfile-1.0.17/ChangeLog.r1610 2006-08-31 11:39:36.000000000 +0200
|
||||
+++ libsndfile-1.0.17/ChangeLog 2011-07-14 14:32:34.216206494 +0200
|
||||
@@ -0,0 +1,6 @@
|
||||
+2011-07-05 Erik de Castro Lopo <erikd AT mega-nerd DOT com>
|
||||
+
|
||||
+ * src/paf.c src/common.h src/sndfile.c
|
||||
+ Fix for Secunia Advisory SA45125, heap overflow (heap gets overwritten with
|
||||
+ byte value of 0) due to integer overflow if PAF file handler.
|
||||
+
|
||||
diff -up libsndfile-1.0.17/src/common.h.r1610 libsndfile-1.0.17/src/common.h
|
||||
--- libsndfile-1.0.17/src/common.h.r1610 2006-08-31 11:22:07.000000000 +0200
|
||||
+++ libsndfile-1.0.17/src/common.h 2011-07-14 14:29:38.309145864 +0200
|
||||
@@ -454,6 +454,7 @@ enum
|
||||
SFE_PAF_VERSION,
|
||||
SFE_PAF_UNKNOWN_FORMAT,
|
||||
SFE_PAF_SHORT_HEADER,
|
||||
+ SFE_PAF_BAD_CHANNELS,
|
||||
|
||||
SFE_SVX_NO_FORM,
|
||||
SFE_SVX_NO_BODY,
|
||||
diff -up libsndfile-1.0.17/src/paf.c.r1610 libsndfile-1.0.17/src/paf.c
|
||||
--- libsndfile-1.0.17/src/paf.c.r1610 2006-08-31 11:22:07.000000000 +0200
|
||||
+++ libsndfile-1.0.17/src/paf.c 2011-07-14 14:29:38.309145864 +0200
|
||||
@@ -163,6 +163,9 @@ paf_read_header (SF_PRIVATE *psf)
|
||||
{ PAF_FMT paf_fmt ;
|
||||
int marker ;
|
||||
|
||||
+ if (psf->filelength < PAF_HEADER_LENGTH)
|
||||
+ return SFE_PAF_SHORT_HEADER ;
|
||||
+
|
||||
memset (&paf_fmt, 0, sizeof (paf_fmt)) ;
|
||||
psf_binheader_readf (psf, "pm", 0, &marker) ;
|
||||
|
||||
@@ -199,8 +202,8 @@ paf_read_header (SF_PRIVATE *psf)
|
||||
psf->endian = SF_ENDIAN_BIG ;
|
||||
} ;
|
||||
|
||||
- if (psf->filelength < PAF_HEADER_LENGTH)
|
||||
- return SFE_PAF_SHORT_HEADER ;
|
||||
+ if (paf_fmt.channels > SF_MAX_CHANNELS)
|
||||
+ return SFE_PAF_BAD_CHANNELS ;
|
||||
|
||||
psf->datalength = psf->filelength - psf->dataoffset ;
|
||||
|
||||
diff -up libsndfile-1.0.17/src/sndfile.c.r1610 libsndfile-1.0.17/src/sndfile.c
|
||||
--- libsndfile-1.0.17/src/sndfile.c.r1610 2006-08-31 11:22:07.000000000 +0200
|
||||
+++ libsndfile-1.0.17/src/sndfile.c 2011-07-14 14:29:38.311145864 +0200
|
||||
@@ -146,6 +146,7 @@ ErrorStruct SndfileErrors [] =
|
||||
{ SFE_PAF_VERSION , "Error in PAF file, bad version." },
|
||||
{ SFE_PAF_UNKNOWN_FORMAT , "Error in PAF file, unknown format." },
|
||||
{ SFE_PAF_SHORT_HEADER , "Error in PAF file. File shorter than minimal header." },
|
||||
+ { SFE_PAF_BAD_CHANNELS , "Error in PAF file. Bad channel count." },
|
||||
|
||||
{ SFE_SVX_NO_FORM , "Error in 8SVX / 16SV file, no 'FORM' marker." },
|
||||
{ SFE_SVX_NO_BODY , "Error in 8SVX / 16SV file, no 'BODY' marker." },
|
|
@ -1,7 +1,7 @@
|
|||
Summary: Library for reading and writing sound files
|
||||
Name: libsndfile
|
||||
Version: 1.0.17
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
License: LGPL
|
||||
Group: System Environment/Libraries
|
||||
URL: http://www.mega-nerd.com/libsndfile/
|
||||
|
@ -16,6 +16,9 @@ Patch2: libsndfile-1.0.17-channels-per-frame-overflow.patch
|
|||
#http://www.mega-nerd.com/erikd/Blog/CodeHacking/libsndfile/rel_20.html
|
||||
Patch3: voc-aiff-patch-1.0.17.diff
|
||||
|
||||
#from upstream, for libsndfile < 1.0.25, crash by overflow with some PAF files (#721239)
|
||||
Patch4: libsndfile-1.0.17-r1610.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n)
|
||||
|
||||
BuildRequires: alsa-lib-devel
|
||||
|
@ -45,6 +48,7 @@ This package contains files needed to develop with libsndfile.
|
|||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
|
||||
%build
|
||||
%configure --disable-dependency-tracking
|
||||
|
@ -92,6 +96,9 @@ rm -rf $RPM_BUILD_ROOT
|
|||
|
||||
|
||||
%changelog
|
||||
* Thu Jul 14 2011 Michal Hlavinka <mhlavink@redhat.com> - 1.0.17-5
|
||||
- fixes integer overflow by processing certain PAF audio files (#721239)
|
||||
|
||||
* Thu Dec 23 2010 Michal Hlavinka <mhlavink@redhat.com> - 1.0.17-4
|
||||
- fix CVE-2009-1788 : VOC file heap based buffer overflow (#502657)
|
||||
- fix CVE-2009-1791 : AIFF file heap based buffer overflow (#502658)
|
||||
|
|
Loading…
Reference in New Issue