Takashi Iwai
55ab37e051
- A couple of security fixes:
* flac-fix-CVE-2014-8962.patch:
arbitrary code execution by a stack overflow (CVE-2014-8692,
bnc#906831)
* flac-fix-CVE-2014-9028.patch:
Heap overflow via specially crafted .flac files (CVE-2014-9028,
bnc#907016)
OBS-URL: https://build.opensuse.org/request/show/263117
OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/flac?expand=0&rev=41
30 lines
1.2 KiB
Diff
30 lines
1.2 KiB
Diff
From fcf0ba06ae12ccd7c67cee3c8d948df15f946b85 Mon Sep 17 00:00:00 2001
|
|
From: Erik de Castro Lopo <erikd@mega-nerd.com>
|
|
Date: Wed, 19 Nov 2014 19:35:59 -0800
|
|
Subject: [PATCH] src/libFACL/stream_decoder.c : Fail safely to avoid a heap overflow.
|
|
|
|
A file provided by the reporters caused the stream decoder to write to
|
|
un-allocated heap space resulting in a segfault. The solution is to
|
|
error out (by returning false from read_residual_partitioned_rice_())
|
|
instead of trying to continue to decode.
|
|
|
|
Fixes: CVE-2014-9028
|
|
Reported-by: Michele Spagnuolo,
|
|
Google Security Team <mikispag@google.com>
|
|
---
|
|
src/libFLAC/stream_decoder.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
--- a/src/libFLAC/stream_decoder.c
|
|
+++ b/src/libFLAC/stream_decoder.c
|
|
@@ -2725,7 +2725,8 @@ FLAC__bool read_residual_partitioned_ric
|
|
if(decoder->private_->frame.header.blocksize < predictor_order) {
|
|
send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC);
|
|
decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC;
|
|
- return true;
|
|
+ /* We have received a potentially malicious bt stream. All we can do is error out to avoid a heap overflow. */
|
|
+ return false;
|
|
}
|
|
}
|
|
else {
|