upstream/oracle/userland-gate: components/libsndfile/patches/CVE-2014-9496.patch@d9c3d6e422bf

summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help


Fix two potential buffer read overflows.

Upstream bug report:
https://github.com/erikd/libsndfile/issues/93

Upstream fix:
https://github.com/erikd/libsndfile/commit/dbe14f00030af5d3577f4cabbf9861db59e9c378

--- libsndfile-1.0.23/src/sd2.c.orig	2015-01-07 13:06:58.205315569 -0800
+++ libsndfile-1.0.23/src/sd2.c	2015-01-07 13:15:21.501444431 -0800
@@ -496,6 +496,11 @@
 
 	rsrc.type_offset = rsrc.map_offset + 30 ;
 
+	if (rsrc.map_offset + 28 > rsrc.rsrc_len)
+	{	psf_log_printf (psf, "Bad map offset.\n") ;
+		goto parse_rsrc_fork_cleanup ;
+		} ;
+
 	rsrc.type_count = read_short (rsrc.rsrc_data, rsrc.map_offset + 28) + 1 ;
 	if (rsrc.type_count < 1)
 	{	psf_log_printf (psf, "Bad type count.\n") ;
@@ -512,7 +517,12 @@
 
 	rsrc.str_index = -1 ;
 	for (k = 0 ; k < rsrc.type_count ; k ++)
-	{	marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ;
+	{	if (rsrc.type_offset + k * 8 > rsrc.rsrc_len)
+		{	psf_log_printf (psf, "Bad rsrc marker.\n") ;
+			goto parse_rsrc_fork_cleanup ;
+			} ;
+
+		marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ;
 
 		if (marker == STR_MARKER)
 		{	rsrc.str_index = k ;

author	Rich Burridge <rich.burridge@oracle.com>
	Thu, 08 Jan 2015 08:21:05 -0800
branch	s11-update
changeset 3600	d9c3d6e422bf
permissions	-rw-r--r--