#! /bin/sh /usr/share/dpatch/dpatch-run ## overflow.dpatch by Samuel Mimram <smimram@debian.org> ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: Fix a buffer overflow (CVE-2007-4974). See #443386. @DPATCH@ diff -urNad libsndfile-1.0.17~/src/flac.c libsndfile-1.0.17/src/flac.c --- libsndfile-1.0.17~/src/flac.c 2007-09-20 23:38:16.000000000 +0000 +++ libsndfile-1.0.17/src/flac.c 2007-09-20 23:38:16.000000000 +0000 @@ -57,7 +57,7 @@ ** Private static functions. */ -#define ENC_BUFFER_SIZE 4096 +#define ENC_BUFFER_SIZE 8192 typedef enum { PFLAC_PCM_SHORT = 0, @@ -202,6 +202,17 @@ const FLAC__int32* const *buffer = pflac->wbuffer ; unsigned i = 0, j, offset ; + /* + ** frame->header.blocksize is variable and we're using a constant blocksize + ** of FLAC__MAX_BLOCK_SIZE. + ** Check our assumptions here. + */ + if (frame->header.blocksize > FLAC__MAX_BLOCK_SIZE) + { psf_log_printf (psf, "Ooops : frame->header.blocksize (%d) > FLAC__MAX_BLOCK_SIZE (%d)\n", __func__, __LINE__, frame->header.blocksize, FLAC__MAX_BLOCK_SIZE) ; + psf->error = SFE_INTERNAL ; + return 0 ; + } ; + if (pflac->ptr == NULL) { /* ** Not sure why this code is here and not elsewhere. @@ -210,7 +221,7 @@ pflac->bufferbackup = SF_TRUE ; for (i = 0 ; i < frame->header.channels ; i++) { if (pflac->rbuffer [i] == NULL) - pflac->rbuffer [i] = calloc (frame->header.blocksize, sizeof (FLAC__int32)) ; + pflac->rbuffer [i] = calloc (FLAC__MAX_BLOCK_SIZE, sizeof (FLAC__int32)) ; memcpy (pflac->rbuffer [i], buffer [i], frame->header.blocksize * sizeof (FLAC__int32)) ; } ; pflac->wbuffer = (const FLAC__int32* const*) pflac->rbuffer ;