Package: libsndfile / 1.0.21-3+squeeze2

03CVE-2011-2696.diff Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
--- src/common.h	2011-07-06 09:28:50 +0000
+++ libsndfile-1.0.21/src/common.h	2011-07-06 09:40:05 +0000
@@ -552,6 +552,7 @@
 	SFE_PAF_VERSION,
 	SFE_PAF_UNKNOWN_FORMAT,
 	SFE_PAF_SHORT_HEADER,
+	SFE_PAF_BAD_CHANNELS,
 
 	SFE_SVX_NO_FORM,
 	SFE_SVX_NO_BODY,

--- src/paf.c	2011-01-19 10:36:56 +0000
+++ libsndfile-1.0.21/src/paf.c	2011-07-06 09:40:05 +0000
@@ -163,6 +163,9 @@
 {	PAF_FMT		paf_fmt ;
 	int			marker ;
 
+	if (psf->filelength < PAF_HEADER_LENGTH)
+		return SFE_PAF_SHORT_HEADER ;
+
 	memset (&paf_fmt, 0, sizeof (paf_fmt)) ;
 	psf_binheader_readf (psf, "pm", 0, &marker) ;
 
@@ -199,8 +202,8 @@
 		psf->endian = SF_ENDIAN_BIG ;
 		} ;
 
-	if (psf->filelength < PAF_HEADER_LENGTH)
-		return SFE_PAF_SHORT_HEADER ;
+	if (paf_fmt.channels > SF_MAX_CHANNELS)
+		return SFE_PAF_BAD_CHANNELS ;
 
 	psf->datalength = psf->filelength - psf->dataoffset ;
 

--- src/sndfile.c	2011-07-06 09:28:50 +0000
+++ libsndfile-1.0.21/src/sndfile.c	2011-07-06 09:40:05 +0000
@@ -174,6 +174,7 @@
 	{	SFE_PAF_VERSION			, "Error in PAF file, bad version." },
 	{	SFE_PAF_UNKNOWN_FORMAT	, "Error in PAF file, unknown format." },
 	{	SFE_PAF_SHORT_HEADER	, "Error in PAF file. File shorter than minimal header." },
+	{	SFE_PAF_BAD_CHANNELS	, "Error in PAF file. Bad channel count." },
 
 	{	SFE_SVX_NO_FORM			, "Error in 8SVX / 16SV file, no 'FORM' marker." },
 	{	SFE_SVX_NO_BODY			, "Error in 8SVX / 16SV file, no 'BODY' marker." },