- fix CVE-2009-1788 : VOC file heap based buffer overflow (#502657)

- fix CVE-2009-1791 : AIFF file heap based buffer overflow (#502658)

libsndfile.spec

@@ -1,14 +1,21 @@
 Summary:	Library for reading and writing sound files
 Name:		libsndfile
 Version:	1.0.17
-Release:	3%{?dist}
+Release:	4%{?dist}
 License:	LGPL
 Group:		System Environment/Libraries
 URL:		http://www.mega-nerd.com/libsndfile/
 Source0:	http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz
 Patch0:         libsndfile-1.0.17+flac-1.1.3.patch
 Patch1:         libsndfile-1.0.17-flac-buffer-overflow.patch
+
+#from upstream, for libsndfile < 1.0.19, CVE-2009-0186
 Patch2:		libsndfile-1.0.17-channels-per-frame-overflow.patch
+
+#from upstream, for libsndfile < 1.0.20, CVE-2009-1788 CVE-2009-1791 
+#http://www.mega-nerd.com/erikd/Blog/CodeHacking/libsndfile/rel_20.html
+Patch3:		voc-aiff-patch-1.0.17.diff
+
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n)
 
 BuildRequires:	alsa-lib-devel
@@ -37,6 +44,7 @@ This package contains files needed to develop with libsndfile.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %build
 %configure --disable-dependency-tracking
@@ -84,6 +92,10 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Thu Dec 23 2010 Michal Hlavinka <mhlavink@redhat.com> - 1.0.17-4
+- fix CVE-2009-1788 : VOC file heap based buffer overflow (#502657)
+- fix CVE-2009-1791 : AIFF file heap based buffer overflow (#502658)
+
 * Thu Jul  8 2010 Michel Salim <salimma@fedoraproject.org> - 1.0.17-3
 - Fix for channel per frame overflow (CVE-2009-0186, #488364)
 

voc-aiff-patch-1.0.17.diff

@@ -0,0 +1,52 @@
+diff -ur libsndfile-1.0.17-orig/src/aiff.c libsndfile-1.0.17/src/aiff.c
+--- libsndfile-1.0.17-orig/src/aiff.c	2006-08-31 19:22:07.000000000 +1000
++++ libsndfile-1.0.17/src/aiff.c	2009-04-27 19:24:01.000000000 +1000
+@@ -714,13 +714,25 @@
+ 						psf_log_printf (psf, "  Count : %d\n", mark_count) ;
+ 
+ 						for (n = 0 ; n < mark_count && bytesread < dword ; n++)
+-						{	bytesread += psf_binheader_readf (psf, "E241", &mark_id, &position, &pstr_len) ;
+-							psf_log_printf (psf, "   Mark ID  : %u\n   Position : %u\n", mark_id, position) ;
++						{	unsigned int pstr_len ;
++							unsigned char ch ;
+ 
+-							pstr_len += (pstr_len & 1) + 1 ; /* fudgy, fudgy, hack, hack */
+-
+-							bytesread += psf_binheader_readf (psf, "b", psf->u.scbuf, pstr_len) ;
+-							psf_log_printf (psf, "   Name     : %s\n", psf->u.scbuf) ;
++							bytesread += psf_binheader_readf (psf, "E241", &mark_id, &position, &ch) ;
++  							psf_log_printf (psf, "   Mark ID  : %u\n   Position : %u\n", mark_id, position) ;
++  
++							pstr_len = (ch & 1) ? ch : ch + 1 ;
++
++							if (pstr_len < sizeof (psf->u.scbuf) - 1)
++							{	bytesread += psf_binheader_readf (psf, "b", psf->u.scbuf, pstr_len) ;
++								psf->u.scbuf [pstr_len] = 0 ;
++								}
++							else
++							{	unsigned int read_len = pstr_len - (sizeof (psf->u.scbuf) - 1) ;
++								bytesread += psf_binheader_readf (psf, "bj", psf->u.scbuf, read_len, pstr_len - read_len) ;
++								psf->u.scbuf [sizeof (psf->u.scbuf) - 1] = 0 ;
++								}
++  
++  							psf_log_printf (psf, "   Name     : %s\n", psf->u.scbuf) ;
+ 
+ 							markstr [n].markerID = mark_id ;
+ 							markstr [n].position = position ;
+diff -ur libsndfile-1.0.17-orig/src/voc.c libsndfile-1.0.17/src/voc.c
+--- libsndfile-1.0.17-orig/src/voc.c	2006-08-31 19:22:07.000000000 +1000
++++ libsndfile-1.0.17/src/voc.c	2009-04-27 19:21:18.000000000 +1000
+@@ -209,6 +209,13 @@
+ 
+ 						psf_log_printf (psf, " ASCII : %d\n", size) ;
+ 
++						if (size < sizeof (psf->header) - 1)
++						{	offset += psf_binheader_readf (psf, "b", psf->header, size) ;
++							psf->header [size] = 0 ;
++							psf_log_printf (psf, "  text : %s\n", psf->header) ;
++							continue ;
++							}
++
+ 						offset += psf_binheader_readf (psf, "b", psf->header, size) ;
+ 						psf->header [size] = 0 ;
+ 						psf_log_printf (psf, "  text : %s\n", psf->header) ;