Contents of /trunk/libsndfile/patches/libsndfile-1.0.17-flac-buffer-overflow.patch
Parent Directory | Revision Log
Revision 396 -
(show annotations)
(download)
Tue Nov 6 00:13:38 2007 UTC (16 years, 10 months ago) by niro
File size: 1518 byte(s)
Tue Nov 6 00:13:38 2007 UTC (16 years, 10 months ago) by niro
File size: 1518 byte(s)
-security fix
1 | Index: libsndfile-1.0.17/src/flac.c |
2 | =================================================================== |
3 | --- libsndfile-1.0.17.orig/src/flac.c |
4 | +++ libsndfile-1.0.17/src/flac.c |
5 | @@ -57,7 +57,7 @@ flac_open (SF_PRIVATE *psf) |
6 | ** Private static functions. |
7 | */ |
8 | |
9 | -#define ENC_BUFFER_SIZE 4096 |
10 | +#define ENC_BUFFER_SIZE 8192 |
11 | |
12 | typedef enum |
13 | { PFLAC_PCM_SHORT = 0, |
14 | @@ -202,6 +202,17 @@ flac_buffer_copy (SF_PRIVATE *psf) |
15 | const FLAC__int32* const *buffer = pflac->wbuffer ; |
16 | unsigned i = 0, j, offset ; |
17 | |
18 | + /* |
19 | + ** frame->header.blocksize is variable and we're using a constant blocksize |
20 | + ** of FLAC__MAX_BLOCK_SIZE. |
21 | + ** Check our assumptions here. |
22 | + */ |
23 | + if (frame->header.blocksize > FLAC__MAX_BLOCK_SIZE) |
24 | + { psf_log_printf (psf, "Ooops : frame->header.blocksize (%d) > FLAC__MAX_BLOCK_SIZE (%d)\n", __func__, __LINE__, frame->header.blocksize, FLAC__MAX_BLOCK_SIZE) ; |
25 | + psf->error = SFE_INTERNAL ; |
26 | + return 0 ; |
27 | + } ; |
28 | + |
29 | if (pflac->ptr == NULL) |
30 | { /* |
31 | ** Not sure why this code is here and not elsewhere. |
32 | @@ -210,7 +221,7 @@ flac_buffer_copy (SF_PRIVATE *psf) |
33 | pflac->bufferbackup = SF_TRUE ; |
34 | for (i = 0 ; i < frame->header.channels ; i++) |
35 | { if (pflac->rbuffer [i] == NULL) |
36 | - pflac->rbuffer [i] = calloc (frame->header.blocksize, sizeof (FLAC__int32)) ; |
37 | + pflac->rbuffer [i] = calloc (FLAC__MAX_BLOCK_SIZE, sizeof (FLAC__int32)) ; |
38 | memcpy (pflac->rbuffer [i], buffer [i], frame->header.blocksize * sizeof (FLAC__int32)) ; |
39 | } ; |
40 | pflac->wbuffer = (const FLAC__int32* const*) pflac->rbuffer ; |