Annotation of /trunk/libsndfile/patches/libsndfile-1.0.17-flac-buffer-overflow.patch
Parent Directory | Revision Log
Revision 396 -
(hide annotations)
(download)
Tue Nov 6 00:13:38 2007 UTC (16 years, 10 months ago) by niro
File size: 1518 byte(s)
Tue Nov 6 00:13:38 2007 UTC (16 years, 10 months ago) by niro
File size: 1518 byte(s)
-security fix
1 | niro | 396 | Index: libsndfile-1.0.17/src/flac.c |
2 | =================================================================== | ||
3 | --- libsndfile-1.0.17.orig/src/flac.c | ||
4 | +++ libsndfile-1.0.17/src/flac.c | ||
5 | @@ -57,7 +57,7 @@ flac_open (SF_PRIVATE *psf) | ||
6 | ** Private static functions. | ||
7 | */ | ||
8 | |||
9 | -#define ENC_BUFFER_SIZE 4096 | ||
10 | +#define ENC_BUFFER_SIZE 8192 | ||
11 | |||
12 | typedef enum | ||
13 | { PFLAC_PCM_SHORT = 0, | ||
14 | @@ -202,6 +202,17 @@ flac_buffer_copy (SF_PRIVATE *psf) | ||
15 | const FLAC__int32* const *buffer = pflac->wbuffer ; | ||
16 | unsigned i = 0, j, offset ; | ||
17 | |||
18 | + /* | ||
19 | + ** frame->header.blocksize is variable and we're using a constant blocksize | ||
20 | + ** of FLAC__MAX_BLOCK_SIZE. | ||
21 | + ** Check our assumptions here. | ||
22 | + */ | ||
23 | + if (frame->header.blocksize > FLAC__MAX_BLOCK_SIZE) | ||
24 | + { psf_log_printf (psf, "Ooops : frame->header.blocksize (%d) > FLAC__MAX_BLOCK_SIZE (%d)\n", __func__, __LINE__, frame->header.blocksize, FLAC__MAX_BLOCK_SIZE) ; | ||
25 | + psf->error = SFE_INTERNAL ; | ||
26 | + return 0 ; | ||
27 | + } ; | ||
28 | + | ||
29 | if (pflac->ptr == NULL) | ||
30 | { /* | ||
31 | ** Not sure why this code is here and not elsewhere. | ||
32 | @@ -210,7 +221,7 @@ flac_buffer_copy (SF_PRIVATE *psf) | ||
33 | pflac->bufferbackup = SF_TRUE ; | ||
34 | for (i = 0 ; i < frame->header.channels ; i++) | ||
35 | { if (pflac->rbuffer [i] == NULL) | ||
36 | - pflac->rbuffer [i] = calloc (frame->header.blocksize, sizeof (FLAC__int32)) ; | ||
37 | + pflac->rbuffer [i] = calloc (FLAC__MAX_BLOCK_SIZE, sizeof (FLAC__int32)) ; | ||
38 | memcpy (pflac->rbuffer [i], buffer [i], frame->header.blocksize * sizeof (FLAC__int32)) ; | ||
39 | } ; | ||
40 | pflac->wbuffer = (const FLAC__int32* const*) pflac->rbuffer ; |