1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
From: =?utf-8?q?J=C3=B6rn_Heusipp?= <osmanx@problemloesungsmaschine.de>
Date: Wed, 12 Jul 2017 00:00:00 +0200
Subject: Fix heap buffer overflows when writing strings in binheader
Origin: upstream
Applied-Upstream: cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8
---
src/common.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/common.c b/src/common.c
index b9f3223..ecce9a7 100644
--- a/src/common.c
+++ b/src/common.c
@@ -675,15 +675,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
/* Write a C string (guaranteed to have a zero terminator). */
strptr = va_arg (argptr, char *) ;
size = strlen (strptr) + 1 ;
- size += (size & 1) ;
- if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16))
+ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
return count ;
if (psf->rwf_endian == SF_ENDIAN_BIG)
- header_put_be_int (psf, size) ;
+ header_put_be_int (psf, size + (size & 1)) ;
else
- header_put_le_int (psf, size) ;
+ header_put_le_int (psf, size + (size & 1)) ;
+ size += (size & 1) ;
memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;
psf->header.indx += size ;
psf->header.ptr [psf->header.indx - 1] = 0 ;
|
