author | Rich Burridge <rich.burridge@oracle.com> |
Thu, 08 Jan 2015 08:21:05 -0800 | |
branch | s11-update |
changeset 3600 | d9c3d6e422bf |
permissions | -rw-r--r-- |
3600
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
1 |
Fix two potential buffer read overflows. |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
2 |
|
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
3 |
Upstream bug report: |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
4 |
https://github.com/erikd/libsndfile/issues/93 |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
5 |
|
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
6 |
Upstream fix: |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
7 |
https://github.com/erikd/libsndfile/commit/dbe14f00030af5d3577f4cabbf9861db59e9c378 |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
8 |
|
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
9 |
--- libsndfile-1.0.23/src/sd2.c.orig 2015-01-07 13:06:58.205315569 -0800 |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
10 |
+++ libsndfile-1.0.23/src/sd2.c 2015-01-07 13:15:21.501444431 -0800 |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
11 |
@@ -496,6 +496,11 @@ |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
12 |
|
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
13 |
rsrc.type_offset = rsrc.map_offset + 30 ; |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
14 |
|
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
15 |
+ if (rsrc.map_offset + 28 > rsrc.rsrc_len) |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
16 |
+ { psf_log_printf (psf, "Bad map offset.\n") ; |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
17 |
+ goto parse_rsrc_fork_cleanup ; |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
18 |
+ } ; |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
19 |
+ |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
20 |
rsrc.type_count = read_short (rsrc.rsrc_data, rsrc.map_offset + 28) + 1 ; |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
21 |
if (rsrc.type_count < 1) |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
22 |
{ psf_log_printf (psf, "Bad type count.\n") ; |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
23 |
@@ -512,7 +517,12 @@ |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
24 |
|
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
25 |
rsrc.str_index = -1 ; |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
26 |
for (k = 0 ; k < rsrc.type_count ; k ++) |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
27 |
- { marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ; |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
28 |
+ { if (rsrc.type_offset + k * 8 > rsrc.rsrc_len) |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
29 |
+ { psf_log_printf (psf, "Bad rsrc marker.\n") ; |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
30 |
+ goto parse_rsrc_fork_cleanup ; |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
31 |
+ } ; |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
32 |
+ |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
33 |
+ marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ; |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
34 |
|
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
35 |
if (marker == STR_MARKER) |
d9c3d6e422bf
20300673 problem in LIBRARY/LIBSNDFILE
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
36 |
{ rsrc.str_index = k ; |