upstream/oracle/userland-gate: components/libsndfile/patches/CVE-2014-9496.patch@7da49475ad49 (annotated)

3598 5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	1	Fix two potential buffer read overflows.
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	2
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	3	Upstream bug report:
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	4	https://github.com/erikd/libsndfile/issues/93
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	5
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	6	Upstream fix:
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	7	https://github.com/erikd/libsndfile/commit/dbe14f00030af5d3577f4cabbf9861db59e9c378
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	8
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	9	--- libsndfile-1.0.23/src/sd2.c.orig 2015-01-07 13:06:58.205315569 -0800
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	10	+++ libsndfile-1.0.23/src/sd2.c 2015-01-07 13:15:21.501444431 -0800
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	11	@@ -496,6 +496,11 @@
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	12
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	13	rsrc.type_offset = rsrc.map_offset + 30 ;
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	14
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	15	+ if (rsrc.map_offset + 28 > rsrc.rsrc_len)
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	16	+ { psf_log_printf (psf, "Bad map offset.\n") ;
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	17	+ goto parse_rsrc_fork_cleanup ;
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	18	+ } ;
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	19	+
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	20	rsrc.type_count = read_short (rsrc.rsrc_data, rsrc.map_offset + 28) + 1 ;
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	21	if (rsrc.type_count < 1)
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	22	{ psf_log_printf (psf, "Bad type count.\n") ;
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	23	@@ -512,7 +517,12 @@
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	24
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	25	rsrc.str_index = -1 ;
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	26	for (k = 0 ; k < rsrc.type_count ; k ++)
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	27	- { marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ;
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	28	+ { if (rsrc.type_offset + k * 8 > rsrc.rsrc_len)
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	29	+ { psf_log_printf (psf, "Bad rsrc marker.\n") ;
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	30	+ goto parse_rsrc_fork_cleanup ;
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	31	+ } ;
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	32	+
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	33	+ marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ;
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	34
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	35	if (marker == STR_MARKER)
5fdeba1e317c 20300673 problem in LIBRARY/LIBSNDFILE Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	36	{ rsrc.str_index = k ;

author	John Beck <John.Beck@Oracle.COM>
	Wed, 18 Nov 2015 12:45:08 -0800
changeset 5106	7da49475ad49
parent 3598	5fdeba1e317c
permissions	-rw-r--r--