libsndfile/patches/libsndfile-1.0.17-flac-buffer-overflow.patch

Index: libsndfile-1.0.17/src/flac.c
===================================================================
--- libsndfile-1.0.17.orig/src/flac.c
+++ libsndfile-1.0.17/src/flac.c
@@ -57,7 +57,7 @@ flac_open (SF_PRIVATE *psf)
 ** Private static functions.
 */
 
-#define ENC_BUFFER_SIZE 4096
+#define ENC_BUFFER_SIZE 8192
 
 typedef enum
 {	PFLAC_PCM_SHORT = 0,
@@ -202,6 +202,17 @@ flac_buffer_copy (SF_PRIVATE *psf)
 	const FLAC__int32* const *buffer = pflac->wbuffer ;
 	unsigned i = 0, j, offset ;
 
+	/*
+	**	frame->header.blocksize is variable and we're using a constant blocksize
+	**	of FLAC__MAX_BLOCK_SIZE.
+	**	Check our assumptions here.
+	*/
+	if (frame->header.blocksize > FLAC__MAX_BLOCK_SIZE)
+	{	psf_log_printf (psf, "Ooops : frame->header.blocksize (%d) > FLAC__MAX_BLOCK_SIZE (%d)\n", __func__, __LINE__, frame->header.blocksize, FLAC__MAX_BLOCK_SIZE) ;
+		psf->error = SFE_INTERNAL ;
+		return 0 ;
+		} ;
+
 	if (pflac->ptr == NULL)
 	{	/*
 		**	Not sure why this code is here and not elsewhere.
@@ -210,7 +221,7 @@ flac_buffer_copy (SF_PRIVATE *psf)
 		pflac->bufferbackup = SF_TRUE ;
 		for (i = 0 ; i < frame->header.channels ; i++)
 		{	if (pflac->rbuffer [i] == NULL)
-				pflac->rbuffer [i] = calloc (frame->header.blocksize, sizeof (FLAC__int32)) ;
+				pflac->rbuffer [i] = calloc (FLAC__MAX_BLOCK_SIZE, sizeof (FLAC__int32)) ;
 			memcpy (pflac->rbuffer [i], buffer [i], frame->header.blocksize * sizeof (FLAC__int32)) ;
 			} ;
 		pflac->wbuffer = (const FLAC__int32* const*) pflac->rbuffer ;
1	niro	396	Index: libsndfile-1.0.17/src/flac.c
2			===================================================================
3			--- libsndfile-1.0.17.orig/src/flac.c
4			+++ libsndfile-1.0.17/src/flac.c
5			@@ -57,7 +57,7 @@ flac_open (SF_PRIVATE *psf)
6			** Private static functions.
7			*/
8
9			-#define ENC_BUFFER_SIZE 4096
10			+#define ENC_BUFFER_SIZE 8192
11
12			typedef enum
13			{ PFLAC_PCM_SHORT = 0,
14			@@ -202,6 +202,17 @@ flac_buffer_copy (SF_PRIVATE *psf)
15			const FLAC__int32* const *buffer = pflac->wbuffer ;
16			unsigned i = 0, j, offset ;
17
18			+ /*
19			+ ** frame->header.blocksize is variable and we're using a constant blocksize
20			+ ** of FLAC__MAX_BLOCK_SIZE.
21			+ ** Check our assumptions here.
22			+ */
23			+ if (frame->header.blocksize > FLAC__MAX_BLOCK_SIZE)
24			+ { psf_log_printf (psf, "Ooops : frame->header.blocksize (%d) > FLAC__MAX_BLOCK_SIZE (%d)\n", __func__, __LINE__, frame->header.blocksize, FLAC__MAX_BLOCK_SIZE) ;
25			+ psf->error = SFE_INTERNAL ;
26			+ return 0 ;
27			+ } ;
28			+
29			if (pflac->ptr == NULL)
30			{ /*
31			** Not sure why this code is here and not elsewhere.
32			@@ -210,7 +221,7 @@ flac_buffer_copy (SF_PRIVATE *psf)
33			pflac->bufferbackup = SF_TRUE ;
34			for (i = 0 ; i < frame->header.channels ; i++)
35			{ if (pflac->rbuffer [i] == NULL)
36			- pflac->rbuffer [i] = calloc (frame->header.blocksize, sizeof (FLAC__int32)) ;
37			+ pflac->rbuffer [i] = calloc (FLAC__MAX_BLOCK_SIZE, sizeof (FLAC__int32)) ;
38			memcpy (pflac->rbuffer [i], buffer [i], frame->header.blocksize * sizeof (FLAC__int32)) ;
39			} ;
40			pflac->wbuffer = (const FLAC__int32* const*) pflac->rbuffer ;