SOURCES: libsndfile-flac_buffer_overflow.patch (NEW) - stolen from...
sls
sls at pld-linux.org
Fri Dec 14 01:46:28 CET 2007
Author: sls Date: Fri Dec 14 00:46:28 2007 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- stolen from Fedora:
"Fixing CVE-2007-4974. Thanks to the gentoo people for the patch"
---- Files affected:
SOURCES:
libsndfile-flac_buffer_overflow.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/libsndfile-flac_buffer_overflow.patch
diff -u /dev/null SOURCES/libsndfile-flac_buffer_overflow.patch:1.1
--- /dev/null Fri Dec 14 01:46:28 2007
+++ SOURCES/libsndfile-flac_buffer_overflow.patch Fri Dec 14 01:46:23 2007
@@ -0,0 +1,40 @@
+Index: libsndfile-1.0.17/src/flac.c
+===================================================================
+--- libsndfile-1.0.17.orig/src/flac.c
++++ libsndfile-1.0.17/src/flac.c
+@@ -57,7 +57,7 @@ flac_open (SF_PRIVATE *psf)
+ ** Private static functions.
+ */
+
+-#define ENC_BUFFER_SIZE 4096
++#define ENC_BUFFER_SIZE 8192
+
+ typedef enum
+ { PFLAC_PCM_SHORT = 0,
+@@ -202,6 +202,17 @@ flac_buffer_copy (SF_PRIVATE *psf)
+ const FLAC__int32* const *buffer = pflac->wbuffer ;
+ unsigned i = 0, j, offset ;
+
++ /*
++ ** frame->header.blocksize is variable and we're using a constant blocksize
++ ** of FLAC__MAX_BLOCK_SIZE.
++ ** Check our assumptions here.
++ */
++ if (frame->header.blocksize > FLAC__MAX_BLOCK_SIZE)
++ { psf_log_printf (psf, "Ooops : frame->header.blocksize (%d) > FLAC__MAX_BLOCK_SIZE (%d)\n", __func__, __LINE__, frame->header.blocksize, FLAC__MAX_BLOCK_SIZE) ;
++ psf->error = SFE_INTERNAL ;
++ return 0 ;
++ } ;
++
+ if (pflac->ptr == NULL)
+ { /*
+ ** Not sure why this code is here and not elsewhere.
+@@ -210,7 +221,7 @@ flac_buffer_copy (SF_PRIVATE *psf)
+ pflac->bufferbackup = SF_TRUE ;
+ for (i = 0 ; i < frame->header.channels ; i++)
+ { if (pflac->rbuffer [i] == NULL)
+- pflac->rbuffer [i] = calloc (frame->header.blocksize, sizeof (FLAC__int32)) ;
++ pflac->rbuffer [i] = calloc (FLAC__MAX_BLOCK_SIZE, sizeof (FLAC__int32)) ;
+ memcpy (pflac->rbuffer [i], buffer [i], frame->header.blocksize * sizeof (FLAC__int32)) ;
+ } ;
+ pflac->wbuffer = (const FLAC__int32* const*) pflac->rbuffer ;
================================================================
More information about the pld-cvs-commit
mailing list