OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libsndfile?expand=0&rev=4

libsndfile-1.0.17-flac-buffer-overflow.patch

@@ -0,0 +1,38 @@
+--- src/flac.c-dist	2007-09-20 15:19:03.000000000 +0200
++++ src/flac.c	2007-09-20 15:19:45.000000000 +0200
+@@ -50,7 +50,7 @@ flac_open (SF_PRIVATE *psf)
+ ** Private static functions.
+ */
+ 
+-#define ENC_BUFFER_SIZE 4096
++#define ENC_BUFFER_SIZE 8192
+ 
+ typedef enum
+ {	PFLAC_PCM_SHORT = 0,
+@@ -172,6 +172,17 @@ flac_buffer_copy (SF_PRIVATE *psf)
+ 	const FLAC__int32* const *buffer = pflac->wbuffer ;
+ 	unsigned i = 0, j, offset ;
+ 
++	/*
++	**	frame->header.blocksize is variable and we're using a constant blocksize
++	**	of FLAC__MAX_BLOCK_SIZE.
++	**	Check our assumptions here.
++	*/
++	if (frame->header.blocksize > FLAC__MAX_BLOCK_SIZE)
++	{	psf_log_printf (psf, "Ooops : frame->header.blocksize (%d) > FLAC__MAX_BLOCK_SIZE (%d)\n", __func__, __LINE__, frame->header.blocksize, FLAC__MAX_BLOCK_SIZE) ;
++		psf->error = SFE_INTERNAL ;
++		return 0 ;
++		} ;
++
+ 	if (pflac->ptr == NULL)
+ 	{	/*
+ 		**	Not sure why this code is here and not elsewhere.
+@@ -180,7 +191,7 @@ flac_buffer_copy (SF_PRIVATE *psf)
+ 		pflac->bufferbackup = SF_TRUE ;
+ 		for (i = 0 ; i < frame->header.channels ; i++)
+ 		{	if (pflac->rbuffer [i] == NULL)
+-				pflac->rbuffer [i] = calloc (frame->header.blocksize, sizeof (FLAC__int32)) ;
++				pflac->rbuffer [i] = calloc (FLAC__MAX_BLOCK_SIZE, sizeof (FLAC__int32)) ;
+ 			memcpy (pflac->rbuffer [i], buffer [i], frame->header.blocksize * sizeof (FLAC__int32)) ;
+ 			} ;
+ 		pflac->wbuffer = (const FLAC__int32* const*) pflac->rbuffer ;

libsndfile.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Sep 20 15:22:45 CEST 2007 - tiwai@suse.de
+
+- VUL-0: Heap-based buffer overflow in flac.c (#326070,
+  CVE-2007-4974)
+
 -------------------------------------------------------------------
 Mon Apr 16 13:56:20 CEST 2007 - tiwai@suse.de
 

libsndfile.spec

@@ -14,15 +14,16 @@ Name:           libsndfile
 BuildRequires:  alsa-devel flac-devel gcc-c++ libstdc++-devel pkgconfig sqlite-devel
 Summary:        A Library to Handle Various Audio File Formats
 Version:        1.0.17
-Release:        36
+Release:        80
-License:        GNU Library General Public License v. 2.0 and 2.1 (LGPL)
+License:        LGPL v2 or later
 Group:          System/Libraries
 Obsoletes:      libsnd
 Provides:       libsnd
 Source:         libsndfile-%{version}.tar.bz2
 Patch:          libsndfile-flac-1.1.4-fix.diff
 Patch1:         libsndfile-ac.diff
-URL:            http://www.mega-nerd.com/libsndfile/
+Patch2:         libsndfile-1.0.17-flac-buffer-overflow.patch
+Url:            http://www.mega-nerd.com/libsndfile/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -88,6 +89,7 @@ Authors:
 %setup
 %patch
 %patch1
+%patch2
 
 %build
 %define warn_flags -W -Wall -Wstrict-prototypes -Wpointer-arith -Wno-unused-parameter
@@ -143,8 +145,10 @@ test "$RPM_BUILD_ROOT" != "/" -a -d "$RPM_BUILD_ROOT" && rm -rf $RPM_BUILD_ROOT
 %{_datadir}/octave/site/m/sndfile_load.m
 %{_datadir}/octave/site/m/sndfile_play.m
 %{_datadir}/octave/site/m/sndfile_save.m
-
 %changelog
+* Thu Sep 20 2007 - tiwai@suse.de
+- VUL-0: Heap-based buffer overflow in flac.c (#326070,
+  CVE-2007-4974)
 * Mon Apr 16 2007 - tiwai@suse.de
 - Move docs and manpages to appropriate sub-packages (#264820)
 - Remove static library (#264820)