diff options
author | V3n3RiX <venerix@redcorelinux.org> | 2017-10-09 18:53:29 +0100 |
---|---|---|
committer | V3n3RiX <venerix@redcorelinux.org> | 2017-10-09 18:53:29 +0100 |
commit | 4f2d7949f03e1c198bc888f2d05f421d35c57e21 (patch) | |
tree | ba5f07bf3f9d22d82e54a462313f5d244036c768 /media-sound/vorbis-tools/files/vorbis-tools-1.4.0-CVE-2014-9638.patch |
reinit the tree, so we can have metadata
Diffstat (limited to 'media-sound/vorbis-tools/files/vorbis-tools-1.4.0-CVE-2014-9638.patch')
-rw-r--r-- | media-sound/vorbis-tools/files/vorbis-tools-1.4.0-CVE-2014-9638.patch | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-CVE-2014-9638.patch b/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-CVE-2014-9638.patch new file mode 100644 index 000000000000..79859df0274f --- /dev/null +++ b/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-CVE-2014-9638.patch @@ -0,0 +1,92 @@ +Patches taken as references: +https://github.com/mark4o/opus-tools/commit/8c412e619b83eb6dd32191909cf6672e93e5802e +https://trac.xiph.org/attachment/ticket/2212/0001-oggenc-Fix-large-alloca-on-bad-AIFF-input.patch +To fix bug report: +http://www.openwall.com/lists/oss-security/2015/08/29/1 + https://bugs.gentoo.org/show_bug.cgi?id=559170 +https://bugs.gentoo.org/show_bug.cgi?id=537422 +--- oggenc/audio.h ++++ oggenc/audio.h +@@ -25,7 +25,7 @@ + + typedef struct { + short format; +- short channels; ++ unsigned short channels; + int samplerate; + int bytespersec; + short align; +@@ -44,7 +44,7 @@ + } wavfile; + + typedef struct { +- short channels; ++ unsigned short channels; + int totalframes; + short samplesize; + int rate; +--- oggenc/audio.c ++++ oggenc/audio.c +@@ -245,8 +245,8 @@ + int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen) + { + int aifc; /* AIFC or AIFF? */ +- unsigned int len; +- unsigned char *buffer; ++ unsigned int len,readlen; ++ unsigned char buffer[22]; + unsigned char buf2[8]; + aiff_fmt format; + aifffile *aiff = malloc(sizeof(aifffile)); +@@ -269,9 +269,9 @@ + return 0; /* Weird common chunk */ + } + +- buffer = alloca(len); +- +- if(fread(buffer,1,len,in) < len) ++ readlen = len < sizeof(buffer) ? len : sizeof(buffer); ++ if(fread(buffer,1,readlen,in) < readlen || ++ (len > readlen && !seek_forward(in, len-readlen))) + { + fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n")); + return 0; +@@ -277,11 +277,18 @@ + return 0; + } + +- format.channels = READ_U16_BE(buffer); ++ format.channels = (short)READ_U16_BE(buffer); + format.totalframes = READ_U32_BE(buffer+2); + format.samplesize = READ_U16_BE(buffer+6); + format.rate = (int)read_IEEE80(buffer+8); + ++ if(format.channels <=0) ++ { ++ fprintf(stderr, _("ERROR: Invalid channel count in AIFF header\n")); ++ return 0; ++ ++ } ++ + aiff->bigendian = 1; + + if(aifc) +@@ -449,11 +449,17 @@ + } + + format.format = READ_U16_LE(buf); +- format.channels = READ_U16_LE(buf+2); ++ format.channels = (short)READ_U16_LE(buf+2); + format.samplerate = READ_U32_LE(buf+4); + format.bytespersec = READ_U32_LE(buf+8); + format.align = READ_U16_LE(buf+12); + format.samplesize = READ_U16_LE(buf+14); ++ ++ if(format.channels == 0) ++ { ++ fprintf(stderr, _("ERROR: Zero channels in WAV header\n")); ++ return 0; ++ } + + if(format.format == -2) /* WAVE_FORMAT_EXTENSIBLE */ + { |