1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
From dbe14f00030af5d3577f4cabbf9861db59e9c378 Mon Sep 17 00:00:00 2001
From: Erik de Castro Lopo <erikd@mega-nerd.com>
Date: Thu, 25 Dec 2014 19:23:12 +1100
Subject: [PATCH] src/sd2.c : Fix two potential buffer read overflows.
Closes: https://github.com/erikd/libsndfile/issues/93
---
src/sd2.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
Index: libsndfile-1.0.21/src/sd2.c
===================================================================
--- libsndfile-1.0.21.orig/src/sd2.c 2015-11-30 11:30:52.000000000 +0100
+++ libsndfile-1.0.21/src/sd2.c 2015-11-30 11:43:58.000000000 +0100
@@ -496,6 +496,11 @@
rsrc.type_offset = rsrc.map_offset + 30 ;
+ if (rsrc.map_offset + 28 > rsrc.rsrc_len)
+ { psf_log_printf (psf, "Bad map offset.\n") ;
+ goto parse_rsrc_fork_cleanup ;
+ } ;
+
rsrc.type_count = read_short (rsrc.rsrc_data, rsrc.map_offset + 28) + 1 ;
if (rsrc.type_count < 1)
{ psf_log_printf (psf, "Bad type count.\n") ;
@@ -512,8 +517,12 @@
rsrc.str_index = -1 ;
for (k = 0 ; k < rsrc.type_count ; k ++)
- { marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ;
+ { if (rsrc.type_offset + k * 8 > rsrc.rsrc_len)
+ { psf_log_printf (psf, "Bad rsrc marker.\n") ;
+ goto parse_rsrc_fork_cleanup ;
+ } ;
+ marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ;
if (marker == STR_MARKER)
{ rsrc.str_index = k ;
rsrc.str_count = read_short (rsrc.rsrc_data, rsrc.type_offset + k * 8 + 4) + 1 ;
|
