Contents of /trunk/libsndfile/patches/libsndfile-1.0.17-flac-buffer-overflow.patch
Parent Directory
| 
Revision Log
Revision 396 -
(show annotations)
(download)
Tue Nov 6 00:13:38 2007 UTC (16 years, 5 months ago) by niro
File size: 1518 byte(s)
Tue Nov 6 00:13:38 2007 UTC (16 years, 5 months ago) by niro
File size: 1518 byte(s)
-security fix
| 1 | Index: libsndfile-1.0.17/src/flac.c |
| 2 | =================================================================== |
| 3 | --- libsndfile-1.0.17.orig/src/flac.c |
| 4 | +++ libsndfile-1.0.17/src/flac.c |
| 5 | @@ -57,7 +57,7 @@ flac_open (SF_PRIVATE *psf) |
| 6 | ** Private static functions. |
| 7 | */ |
| 8 | |
| 9 | -#define ENC_BUFFER_SIZE 4096 |
| 10 | +#define ENC_BUFFER_SIZE 8192 |
| 11 | |
| 12 | typedef enum |
| 13 | { PFLAC_PCM_SHORT = 0, |
| 14 | @@ -202,6 +202,17 @@ flac_buffer_copy (SF_PRIVATE *psf) |
| 15 | const FLAC__int32* const *buffer = pflac->wbuffer ; |
| 16 | unsigned i = 0, j, offset ; |
| 17 | |
| 18 | + /* |
| 19 | + ** frame->header.blocksize is variable and we're using a constant blocksize |
| 20 | + ** of FLAC__MAX_BLOCK_SIZE. |
| 21 | + ** Check our assumptions here. |
| 22 | + */ |
| 23 | + if (frame->header.blocksize > FLAC__MAX_BLOCK_SIZE) |
| 24 | + { psf_log_printf (psf, "Ooops : frame->header.blocksize (%d) > FLAC__MAX_BLOCK_SIZE (%d)\n", __func__, __LINE__, frame->header.blocksize, FLAC__MAX_BLOCK_SIZE) ; |
| 25 | + psf->error = SFE_INTERNAL ; |
| 26 | + return 0 ; |
| 27 | + } ; |
| 28 | + |
| 29 | if (pflac->ptr == NULL) |
| 30 | { /* |
| 31 | ** Not sure why this code is here and not elsewhere. |
| 32 | @@ -210,7 +221,7 @@ flac_buffer_copy (SF_PRIVATE *psf) |
| 33 | pflac->bufferbackup = SF_TRUE ; |
| 34 | for (i = 0 ; i < frame->header.channels ; i++) |
| 35 | { if (pflac->rbuffer [i] == NULL) |
| 36 | - pflac->rbuffer [i] = calloc (frame->header.blocksize, sizeof (FLAC__int32)) ; |
| 37 | + pflac->rbuffer [i] = calloc (FLAC__MAX_BLOCK_SIZE, sizeof (FLAC__int32)) ; |
| 38 | memcpy (pflac->rbuffer [i], buffer [i], frame->header.blocksize * sizeof (FLAC__int32)) ; |
| 39 | } ; |
| 40 | pflac->wbuffer = (const FLAC__int32* const*) pflac->rbuffer ; |