Mercurial Mercurial > upstream > oracle > userland-gate / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
20300673 problem in LIBRARY/LIBSNDFILE
authorRich Burridge <rich.burridge@oracle.com>
Wed, 07 Jan 2015 21:26:16 -0800
changeset 3598 5fdeba1e317c
parent 3597 c79130430988
child 3601 4da1857767d1
20300673 problem in LIBRARY/LIBSNDFILE
components/libsndfile/patches/CVE-2014-9496.patch file | annotate | diff | comparison | revisions 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libsndfile/patches/CVE-2014-9496.patch	Wed Jan 07 21:26:16 2015 -0800
@@ -0,0 +1,36 @@
+Fix two potential buffer read overflows.
+
+Upstream bug report:
+https://github.com/erikd/libsndfile/issues/93
+
+Upstream fix:
+https://github.com/erikd/libsndfile/commit/dbe14f00030af5d3577f4cabbf9861db59e9c378
+
+--- libsndfile-1.0.23/src/sd2.c.orig	2015-01-07 13:06:58.205315569 -0800
++++ libsndfile-1.0.23/src/sd2.c	2015-01-07 13:15:21.501444431 -0800
[email protected]@ -496,6 +496,11 @@
+ 
+ 	rsrc.type_offset = rsrc.map_offset + 30 ;
+ 
++	if (rsrc.map_offset + 28 > rsrc.rsrc_len)
++	{	psf_log_printf (psf, "Bad map offset.\n") ;
++		goto parse_rsrc_fork_cleanup ;
++		} ;
++
+ 	rsrc.type_count = read_short (rsrc.rsrc_data, rsrc.map_offset + 28) + 1 ;
+ 	if (rsrc.type_count < 1)
+ 	{	psf_log_printf (psf, "Bad type count.\n") ;
[email protected]@ -512,7 +517,12 @@
+ 
+ 	rsrc.str_index = -1 ;
+ 	for (k = 0 ; k < rsrc.type_count ; k ++)
+-	{	marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ;
++	{	if (rsrc.type_offset + k * 8 > rsrc.rsrc_len)
++		{	psf_log_printf (psf, "Bad rsrc marker.\n") ;
++			goto parse_rsrc_fork_cleanup ;
++			} ;
++
++		marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ;
+ 
+ 		if (marker == STR_MARKER)
+ 		{	rsrc.str_index = k ;
upstream/oracle/userland-gate