1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
Description: aiff: fix crash on empty comment chunk (CVE-2017-15642)
This fixes a use after free and double free if an empty comment
chunk follows a non-empty one.
Author: Mans Rullgard <mans@mansr.com>
Origin: upstream, https://github.com/mansr/sox/commit/0be259eaa9ce3f3fa587a3ef0cf2c0b9c73167a2
--- a/src/aiff.c 2012-01-23 23:27:33.000000000 +0100
+++ b/src/aiff.c 2019-02-28 10:46:46.358710941 +0100
@@ -62,7 +62,6 @@
size_t ssndsize = 0;
char *annotation;
char *author;
- char *comment = NULL;
char *copyright;
char *nametext;
@@ -270,6 +269,7 @@
free(annotation);
}
else if (strncmp(buf, "COMT", (size_t)4) == 0) {
+ char *comment = NULL;
rc = commentChunk(&comment, "Comment:", ft);
if (rc) {
/* Fail already called in function */
|
