pool/soundtouch
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 633734 from home:mcalabkova:branches:multimedia:libs

Browse Source 
- bsc #1103676: CVE-2018-1000223: soundtouch: Heap-based buffer overflow 
  added patch fix-buffer-overflow.patch

OBS-URL: https://build.opensuse.org/request/show/633734
OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/soundtouch?expand=0&rev=28
This commit is contained in:
Ismail Dönmez 2018-09-06 13:14:45 +00:00 committed by Git OBS Bridge
parent ef2135529e
commit f4cb7977c0
3 changed files with 52 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
fix-buffer-overflow.patch Normal file
View File

@ -0,0 +1,44 @@
Index: soundtouch/source/SoundStretch/WavFile.cpp
===================================================================
--- soundtouch.orig/source/SoundStretch/WavFile.cpp
+++ soundtouch/source/SoundStretch/WavFile.cpp
@@ -528,12 +528,16 @@ int WavInFile::readHeaderBlock()
// read length of the format field
if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
// swap byte order if necessary
- _swap32(nLen); // int format_len;
- header.format.format_len = nLen;
+ _swap32(nLen);
- // calculate how much length differs from expected
+ // calculate how much length differs from expected
nDump = nLen - ((int)sizeof(header.format) - 8);
+ // verify that header length isn't smaller than expected structure
+ if ((nLen < 0) || (nDump < 0)) return -1;
+
+ header.format.format_len = nLen;
+
// if format_len is larger than expected, read only as much data as we've space for
if (nDump > 0)
{
@@ -569,12 +573,16 @@ int WavInFile::readHeaderBlock()
// read length of the fact field
if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
// swap byte order if necessary
- _swap32(nLen); // int fact_len;
- header.fact.fact_len = nLen;
+ _swap32(nLen);
// calculate how much length differs from expected
nDump = nLen - ((int)sizeof(header.fact) - 8);
+ // verify that fact length isn't smaller than expected structure
+ if ((nLen < 0) || (nDump < 0)) return -1;
+
+ header.fact.fact_len = nLen;
+
// if format_len is larger than expected, read only as much data as we've space for
if (nDump > 0)
{

6
soundtouch.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Thu Sep 6 12:29:20 UTC 2018 - Marketa Calabkova <mcalabkova@suse.com>
- bsc #1103676: CVE-2018-1000223: soundtouch: Heap-based buffer overflow
added patch fix-buffer-overflow.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Mar 13 08:44:37 UTC 2018 - jengelh@inai.de Tue Mar 13 08:44:37 UTC 2018 - jengelh@inai.de

2
soundtouch.spec
View File

@ -32,6 +32,7 @@ BuildRequires: automake
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: libtool BuildRequires: libtool
BuildRequires: pkgconfig BuildRequires: pkgconfig
Patch0: fix-buffer-overflow.patch
%description %description
SoundTouch is a C++ audio processing library that allows SoundTouch is a C++ audio processing library that allows
@ -73,6 +74,7 @@ SoundTouch.
tr -d '\r' <README.html >README.html~ tr -d '\r' <README.html >README.html~
touch -r README.html README.html~ touch -r README.html README.html~
mv README.html~ README.html mv README.html~ README.html
%patch0 -p1
%build %build
./bootstrap ./bootstrap