Package: libsndfile / 1.0.21-3+squeeze2

102_sd2_buffer_read_overflow.diff Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
From dbe14f00030af5d3577f4cabbf9861db59e9c378 Mon Sep 17 00:00:00 2001
From: Erik de Castro Lopo <erikd@mega-nerd.com>
Date: Thu, 25 Dec 2014 19:23:12 +1100
Subject: [PATCH] src/sd2.c : Fix two potential buffer read overflows.

Closes: https://github.com/erikd/libsndfile/issues/93
---
 src/sd2.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

Index: libsndfile-1.0.21/src/sd2.c
===================================================================
--- libsndfile-1.0.21.orig/src/sd2.c	2015-11-30 11:30:52.000000000 +0100
+++ libsndfile-1.0.21/src/sd2.c	2015-11-30 11:43:58.000000000 +0100
@@ -496,6 +496,11 @@
 
 	rsrc.type_offset = rsrc.map_offset + 30 ;
 
+        if (rsrc.map_offset + 28 > rsrc.rsrc_len)
+        {       psf_log_printf (psf, "Bad map offset.\n") ;
+                goto parse_rsrc_fork_cleanup ;
+                } ;
+
 	rsrc.type_count = read_short (rsrc.rsrc_data, rsrc.map_offset + 28) + 1 ;
 	if (rsrc.type_count < 1)
 	{	psf_log_printf (psf, "Bad type count.\n") ;
@@ -512,8 +517,12 @@
 
 	rsrc.str_index = -1 ;
 	for (k = 0 ; k < rsrc.type_count ; k ++)
-	{	marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ;
+        {       if (rsrc.type_offset + k * 8 > rsrc.rsrc_len)
+                {       psf_log_printf (psf, "Bad rsrc marker.\n") ;
+                        goto parse_rsrc_fork_cleanup ;
+                        } ;
 
+		marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ;
 		if (marker == STR_MARKER)
 		{	rsrc.str_index = k ;
 			rsrc.str_count = read_short (rsrc.rsrc_data, rsrc.type_offset + k * 8 + 4) + 1 ;