- fix CVE-2009-1788 : VOC file heap based buffer overflow (#502657)
- fix CVE-2009-1791 : AIFF file heap based buffer overflow (#502658)
This commit is contained in:
parent
beeb5bf9f5
commit
d5d84f0a46
|
@ -1,14 +1,21 @@
|
|||
Summary: Library for reading and writing sound files
|
||||
Name: libsndfile
|
||||
Version: 1.0.17
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: LGPL
|
||||
Group: System Environment/Libraries
|
||||
URL: http://www.mega-nerd.com/libsndfile/
|
||||
Source0: http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz
|
||||
Patch0: libsndfile-1.0.17+flac-1.1.3.patch
|
||||
Patch1: libsndfile-1.0.17-flac-buffer-overflow.patch
|
||||
|
||||
#from upstream, for libsndfile < 1.0.19, CVE-2009-0186
|
||||
Patch2: libsndfile-1.0.17-channels-per-frame-overflow.patch
|
||||
|
||||
#from upstream, for libsndfile < 1.0.20, CVE-2009-1788 CVE-2009-1791
|
||||
#http://www.mega-nerd.com/erikd/Blog/CodeHacking/libsndfile/rel_20.html
|
||||
Patch3: voc-aiff-patch-1.0.17.diff
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n)
|
||||
|
||||
BuildRequires: alsa-lib-devel
|
||||
|
@ -37,6 +44,7 @@ This package contains files needed to develop with libsndfile.
|
|||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
|
||||
%build
|
||||
%configure --disable-dependency-tracking
|
||||
|
@ -84,6 +92,10 @@ rm -rf $RPM_BUILD_ROOT
|
|||
|
||||
|
||||
%changelog
|
||||
* Thu Dec 23 2010 Michal Hlavinka <mhlavink@redhat.com> - 1.0.17-4
|
||||
- fix CVE-2009-1788 : VOC file heap based buffer overflow (#502657)
|
||||
- fix CVE-2009-1791 : AIFF file heap based buffer overflow (#502658)
|
||||
|
||||
* Thu Jul 8 2010 Michel Salim <salimma@fedoraproject.org> - 1.0.17-3
|
||||
- Fix for channel per frame overflow (CVE-2009-0186, #488364)
|
||||
|
||||
|
|
|
@ -0,0 +1,52 @@
|
|||
diff -ur libsndfile-1.0.17-orig/src/aiff.c libsndfile-1.0.17/src/aiff.c
|
||||
--- libsndfile-1.0.17-orig/src/aiff.c 2006-08-31 19:22:07.000000000 +1000
|
||||
+++ libsndfile-1.0.17/src/aiff.c 2009-04-27 19:24:01.000000000 +1000
|
||||
@@ -714,13 +714,25 @@
|
||||
psf_log_printf (psf, " Count : %d\n", mark_count) ;
|
||||
|
||||
for (n = 0 ; n < mark_count && bytesread < dword ; n++)
|
||||
- { bytesread += psf_binheader_readf (psf, "E241", &mark_id, &position, &pstr_len) ;
|
||||
- psf_log_printf (psf, " Mark ID : %u\n Position : %u\n", mark_id, position) ;
|
||||
+ { unsigned int pstr_len ;
|
||||
+ unsigned char ch ;
|
||||
|
||||
- pstr_len += (pstr_len & 1) + 1 ; /* fudgy, fudgy, hack, hack */
|
||||
-
|
||||
- bytesread += psf_binheader_readf (psf, "b", psf->u.scbuf, pstr_len) ;
|
||||
- psf_log_printf (psf, " Name : %s\n", psf->u.scbuf) ;
|
||||
+ bytesread += psf_binheader_readf (psf, "E241", &mark_id, &position, &ch) ;
|
||||
+ psf_log_printf (psf, " Mark ID : %u\n Position : %u\n", mark_id, position) ;
|
||||
+
|
||||
+ pstr_len = (ch & 1) ? ch : ch + 1 ;
|
||||
+
|
||||
+ if (pstr_len < sizeof (psf->u.scbuf) - 1)
|
||||
+ { bytesread += psf_binheader_readf (psf, "b", psf->u.scbuf, pstr_len) ;
|
||||
+ psf->u.scbuf [pstr_len] = 0 ;
|
||||
+ }
|
||||
+ else
|
||||
+ { unsigned int read_len = pstr_len - (sizeof (psf->u.scbuf) - 1) ;
|
||||
+ bytesread += psf_binheader_readf (psf, "bj", psf->u.scbuf, read_len, pstr_len - read_len) ;
|
||||
+ psf->u.scbuf [sizeof (psf->u.scbuf) - 1] = 0 ;
|
||||
+ }
|
||||
+
|
||||
+ psf_log_printf (psf, " Name : %s\n", psf->u.scbuf) ;
|
||||
|
||||
markstr [n].markerID = mark_id ;
|
||||
markstr [n].position = position ;
|
||||
diff -ur libsndfile-1.0.17-orig/src/voc.c libsndfile-1.0.17/src/voc.c
|
||||
--- libsndfile-1.0.17-orig/src/voc.c 2006-08-31 19:22:07.000000000 +1000
|
||||
+++ libsndfile-1.0.17/src/voc.c 2009-04-27 19:21:18.000000000 +1000
|
||||
@@ -209,6 +209,13 @@
|
||||
|
||||
psf_log_printf (psf, " ASCII : %d\n", size) ;
|
||||
|
||||
+ if (size < sizeof (psf->header) - 1)
|
||||
+ { offset += psf_binheader_readf (psf, "b", psf->header, size) ;
|
||||
+ psf->header [size] = 0 ;
|
||||
+ psf_log_printf (psf, " text : %s\n", psf->header) ;
|
||||
+ continue ;
|
||||
+ }
|
||||
+
|
||||
offset += psf_binheader_readf (psf, "b", psf->header, size) ;
|
||||
psf->header [size] = 0 ;
|
||||
psf_log_printf (psf, " text : %s\n", psf->header) ;
|
Loading…
Reference in New Issue