From d70d0f76c38d293863adabc70a2b51b38836dd18532f19b03bb3a911722e3c91 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Tue, 25 Sep 2007 19:12:55 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libsndfile?expand=0&rev=4 --- libsndfile-1.0.17-flac-buffer-overflow.patch | 38 ++++++++++++++++++++ libsndfile.changes | 6 ++++ libsndfile.spec | 12 ++++--- 3 files changed, 52 insertions(+), 4 deletions(-) create mode 100644 libsndfile-1.0.17-flac-buffer-overflow.patch diff --git a/libsndfile-1.0.17-flac-buffer-overflow.patch b/libsndfile-1.0.17-flac-buffer-overflow.patch new file mode 100644 index 0000000..19c70f1 --- /dev/null +++ b/libsndfile-1.0.17-flac-buffer-overflow.patch @@ -0,0 +1,38 @@ +--- src/flac.c-dist 2007-09-20 15:19:03.000000000 +0200 ++++ src/flac.c 2007-09-20 15:19:45.000000000 +0200 +@@ -50,7 +50,7 @@ flac_open (SF_PRIVATE *psf) + ** Private static functions. + */ + +-#define ENC_BUFFER_SIZE 4096 ++#define ENC_BUFFER_SIZE 8192 + + typedef enum + { PFLAC_PCM_SHORT = 0, +@@ -172,6 +172,17 @@ flac_buffer_copy (SF_PRIVATE *psf) + const FLAC__int32* const *buffer = pflac->wbuffer ; + unsigned i = 0, j, offset ; + ++ /* ++ ** frame->header.blocksize is variable and we're using a constant blocksize ++ ** of FLAC__MAX_BLOCK_SIZE. ++ ** Check our assumptions here. ++ */ ++ if (frame->header.blocksize > FLAC__MAX_BLOCK_SIZE) ++ { psf_log_printf (psf, "Ooops : frame->header.blocksize (%d) > FLAC__MAX_BLOCK_SIZE (%d)\n", __func__, __LINE__, frame->header.blocksize, FLAC__MAX_BLOCK_SIZE) ; ++ psf->error = SFE_INTERNAL ; ++ return 0 ; ++ } ; ++ + if (pflac->ptr == NULL) + { /* + ** Not sure why this code is here and not elsewhere. +@@ -180,7 +191,7 @@ flac_buffer_copy (SF_PRIVATE *psf) + pflac->bufferbackup = SF_TRUE ; + for (i = 0 ; i < frame->header.channels ; i++) + { if (pflac->rbuffer [i] == NULL) +- pflac->rbuffer [i] = calloc (frame->header.blocksize, sizeof (FLAC__int32)) ; ++ pflac->rbuffer [i] = calloc (FLAC__MAX_BLOCK_SIZE, sizeof (FLAC__int32)) ; + memcpy (pflac->rbuffer [i], buffer [i], frame->header.blocksize * sizeof (FLAC__int32)) ; + } ; + pflac->wbuffer = (const FLAC__int32* const*) pflac->rbuffer ; diff --git a/libsndfile.changes b/libsndfile.changes index edd08cd..e7a87da 100644 --- a/libsndfile.changes +++ b/libsndfile.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Sep 20 15:22:45 CEST 2007 - tiwai@suse.de + +- VUL-0: Heap-based buffer overflow in flac.c (#326070, + CVE-2007-4974) + ------------------------------------------------------------------- Mon Apr 16 13:56:20 CEST 2007 - tiwai@suse.de diff --git a/libsndfile.spec b/libsndfile.spec index 30f168a..c6825d2 100644 --- a/libsndfile.spec +++ b/libsndfile.spec @@ -14,15 +14,16 @@ Name: libsndfile BuildRequires: alsa-devel flac-devel gcc-c++ libstdc++-devel pkgconfig sqlite-devel Summary: A Library to Handle Various Audio File Formats Version: 1.0.17 -Release: 36 -License: GNU Library General Public License v. 2.0 and 2.1 (LGPL) +Release: 80 +License: LGPL v2 or later Group: System/Libraries Obsoletes: libsnd Provides: libsnd Source: libsndfile-%{version}.tar.bz2 Patch: libsndfile-flac-1.1.4-fix.diff Patch1: libsndfile-ac.diff -URL: http://www.mega-nerd.com/libsndfile/ +Patch2: libsndfile-1.0.17-flac-buffer-overflow.patch +Url: http://www.mega-nerd.com/libsndfile/ BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -88,6 +89,7 @@ Authors: %setup %patch %patch1 +%patch2 %build %define warn_flags -W -Wall -Wstrict-prototypes -Wpointer-arith -Wno-unused-parameter @@ -143,8 +145,10 @@ test "$RPM_BUILD_ROOT" != "/" -a -d "$RPM_BUILD_ROOT" && rm -rf $RPM_BUILD_ROOT %{_datadir}/octave/site/m/sndfile_load.m %{_datadir}/octave/site/m/sndfile_play.m %{_datadir}/octave/site/m/sndfile_save.m - %changelog +* Thu Sep 20 2007 - tiwai@suse.de +- VUL-0: Heap-based buffer overflow in flac.c (#326070, + CVE-2007-4974) * Mon Apr 16 2007 - tiwai@suse.de - Move docs and manpages to appropriate sub-packages (#264820) - Remove static library (#264820)