From f030dd866d1e02cf17f609a687260887ba00a31055665603471ad2ac45e97b9c Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.com>
Date: Wed, 18 Apr 2012 09:44:29 +0000
Subject: [PATCH] Accepting request 114337 from
 home:tiwai:branches:multimedia:apps

- VUL-0: csound: buffer overflow in pv_import (CVE-2012-2106,
  bnc#757254),
  VUL-0: csound: buffer overflow in lpc_import (CVE-2012-2107,
  bnc#757255),
  VUL-0: csound: Stack-based buffer overflow in lpc_import
  (CVE-2012-2108, bnc#757256):
  a single patch for all three issues

OBS-URL: https://build.opensuse.org/request/show/114337
OBS-URL: https://build.opensuse.org/package/show/multimedia:apps/csound?expand=0&rev=13
---
 csound-fix-CVE-2012-2107.patch | 57 ++++++++++++++++++++++++++++++++++
 csound.changes                 | 11 +++++++
 csound.spec                    |  2 ++
 3 files changed, 70 insertions(+)
 create mode 100644 csound-fix-CVE-2012-2107.patch

diff --git a/csound-fix-CVE-2012-2107.patch b/csound-fix-CVE-2012-2107.patch
new file mode 100644
index 0000000..56732b9
--- /dev/null
+++ b/csound-fix-CVE-2012-2107.patch
@@ -0,0 +1,57 @@
+From 61d1df45ca9a52bab62892a3c3a13c41e6384505 Mon Sep 17 00:00:00 2001
+From: John ffitch <jpff@codemist.co.uk>
+Date: Tue, 6 Mar 2012 17:12:43 +0000
+Subject: [PATCH] security in utilities
+
+---
+ util/lpci_main.c |   17 ++++++++++++++---
+ util/pv_import.c |    4 ++++
+ 2 files changed, 18 insertions(+), 3 deletions(-)
+
+--- a/util/lpci_main.c
++++ b/util/lpci_main.c
+@@ -73,17 +73,28 @@ int main(int argc, char **argv)
+             hdr.headersize, hdr.lpmagic, hdr.npoles, hdr.nvals,
+             hdr.framrate, hdr.srate, hdr.duration);
+     str = (char *)malloc(hdr.headersize-sizeof(LPHEADER)+4);
+-    fread(&hdr, sizeof(char), hdr.headersize-sizeof(LPHEADER)+4, inf);
++    if (str==NULL) {
++      printf("memory allocation failure\n");
++      exit(1);
++    }
++    if (hdr.headersize-sizeof(LPHEADER)+4 !=
++        fread(&hdr, sizeof(char), hdr.headersize-sizeof(LPHEADER)+4, inf)) {
++      printf("Ill formed data\n");
++      exit(1);
++    }
+     for (i=0; i<hdr.headersize-sizeof(LPHEADER)+4; i++)
+       putc(str[i],outf);
+     putc('\n', outf);
+-    coef = (MYFLT *)malloc((hdr.npoles+hdr.nvals)*sizeof(MYFLT));
++    coef = (MYFLT *)malloc(hdr.npoles*sizeof(MYFLT));
+     if (coef==NULL) {
+       printf("memory allocation failure\n");
+       exit(1);
+     }
+     for (i = 0; i<hdr.nvals; i++) {
+-      fread(&coef[0], sizeof(MYFLT), hdr.npoles, inf);
++      if (hdr.npoles != fread(coef, sizeof(MYFLT), hdr.npoles, inf)) {
++        printf("Ill formed data\n");
++        exit(1);
++      }
+       for (j=0; j<hdr.npoles; j++)
+         fprintf(outf, "%f%c", coef[j], (j==hdr.npoles-1 ? '\n' : ','));
+     }
+--- a/util/pv_import.c
++++ b/util/pv_import.c
+@@ -115,6 +115,10 @@ static int pv_import(CSOUND *csound, int
+       float *frame =
+         (float*) csound->Malloc(csound, data.nAnalysisBins*2*sizeof(float));
+       int i;
++      if (frame==NULL) {
++        csound->Message(csound, Str("Memory failure\n"));
++        exit(1);
++      }
+       for (i=1;;i++) {
+         int j;
+         for (j=0; j<data.nAnalysisBins*2; j++) {
diff --git a/csound.changes b/csound.changes
index 34076e8..a997fdf 100644
--- a/csound.changes
+++ b/csound.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Wed Apr 18 11:21:46 CEST 2012 - tiwai@suse.de
+
+- VUL-0: csound: buffer overflow in pv_import (CVE-2012-2106,
+  bnc#757254),
+  VUL-0: csound: buffer overflow in lpc_import (CVE-2012-2107,
+  bnc#757255),
+  VUL-0: csound: Stack-based buffer overflow in lpc_import
+  (CVE-2012-2108, bnc#757256):
+  a single patch for all three issues
+
 -------------------------------------------------------------------
 Mon Feb 27 12:04:56 CET 2012 - tiwai@suse.de
 
diff --git a/csound.spec b/csound.spec
index 9607f8e..0a24e76 100644
--- a/csound.spec
+++ b/csound.spec
@@ -47,6 +47,7 @@ Url:            http://www.csounds.com
 Source:         Csound%{version}.tar.gz
 Source1:        README.SuSE
 Patch3:         %{name}-strncat-fix.patch
+Patch4:         csound-fix-CVE-2012-2107.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -67,6 +68,7 @@ Development files for Csound.
 %prep
 %setup -q -n Csound%{version}
 %patch3
+%patch4 -p1
 # remove __DATE__ from source files, causes unnecessary rebuilds
 sed -i 's:__DATE__:"":' Engine/musmon.c frontends/CsoundVST/CsoundVstFltk.cpp Top/main.c
 # copy readme