1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
#! /bin/sh /usr/share/dpatch/dpatch-run
## overflow.dpatch by Samuel Mimram <smimram@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix a buffer overflow (CVE-2007-4974). See #443386.
@DPATCH@
diff -urNad libsndfile-1.0.17~/src/flac.c libsndfile-1.0.17/src/flac.c
--- libsndfile-1.0.17~/src/flac.c 2007-09-20 23:38:16.000000000 +0000
+++ libsndfile-1.0.17/src/flac.c 2007-09-20 23:38:16.000000000 +0000
@@ -57,7 +57,7 @@
** Private static functions.
*/
-#define ENC_BUFFER_SIZE 4096
+#define ENC_BUFFER_SIZE 8192
typedef enum
{ PFLAC_PCM_SHORT = 0,
@@ -202,6 +202,17 @@
const FLAC__int32* const *buffer = pflac->wbuffer ;
unsigned i = 0, j, offset ;
+ /*
+ ** frame->header.blocksize is variable and we're using a constant blocksize
+ ** of FLAC__MAX_BLOCK_SIZE.
+ ** Check our assumptions here.
+ */
+ if (frame->header.blocksize > FLAC__MAX_BLOCK_SIZE)
+ { psf_log_printf (psf, "Ooops : frame->header.blocksize (%d) > FLAC__MAX_BLOCK_SIZE (%d)\n", __func__, __LINE__, frame->header.blocksize, FLAC__MAX_BLOCK_SIZE) ;
+ psf->error = SFE_INTERNAL ;
+ return 0 ;
+ } ;
+
if (pflac->ptr == NULL)
{ /*
** Not sure why this code is here and not elsewhere.
@@ -210,7 +221,7 @@
pflac->bufferbackup = SF_TRUE ;
for (i = 0 ; i < frame->header.channels ; i++)
{ if (pflac->rbuffer [i] == NULL)
- pflac->rbuffer [i] = calloc (frame->header.blocksize, sizeof (FLAC__int32)) ;
+ pflac->rbuffer [i] = calloc (FLAC__MAX_BLOCK_SIZE, sizeof (FLAC__int32)) ;
memcpy (pflac->rbuffer [i], buffer [i], frame->header.blocksize * sizeof (FLAC__int32)) ;
} ;
pflac->wbuffer = (const FLAC__int32* const*) pflac->rbuffer ;
|
