Package: libsndfile / 1.0.28-6

binheader-heapoverflow.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
From: =?utf-8?q?J=C3=B6rn_Heusipp?= <osmanx@problemloesungsmaschine.de>
Date: Wed, 12 Jul 2017 00:00:00 +0200
Subject: Fix heap buffer overflows when writing strings in binheader

Origin: upstream
Applied-Upstream: cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8
---
 src/common.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/common.c b/src/common.c
index b9f3223..ecce9a7 100644
--- a/src/common.c
+++ b/src/common.c
@@ -675,15 +675,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
 					/* Write a C string (guaranteed to have a zero terminator). */
 					strptr = va_arg (argptr, char *) ;
 					size = strlen (strptr) + 1 ;
-					size += (size & 1) ;
 
-					if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16))
+					if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
 						return count ;
 
 					if (psf->rwf_endian == SF_ENDIAN_BIG)
-						header_put_be_int (psf, size) ;
+						header_put_be_int (psf, size + (size & 1)) ;
 					else
-						header_put_le_int (psf, size) ;
+						header_put_le_int (psf, size + (size & 1)) ;
+					size += (size & 1) ;
 					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;
 					psf->header.indx += size ;
 					psf->header.ptr [psf->header.indx - 1] = 0 ;