Accepting request 508087 from multimedia:libs

1

OBS-URL: https://build.opensuse.org/request/show/508087
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libquicktime?expand=0&rev=54

libquicktime-1.2.4-integer_overflow.patch

@@ -1,13 +1,22 @@
-Index: libquicktime-1.2.4/src/util.c
+Index: libquicktime/src/util.c
 ===================================================================
---- libquicktime-1.2.4.orig/src/util.c
+--- libquicktime.orig/src/util.c
-+++ libquicktime-1.2.4/src/util.c
++++ libquicktime/src/util.c
-@@ -340,7 +340,7 @@ int64_t quicktime_byte_position(quicktim
+@@ -376,9 +376,14 @@ int64_t quicktime_byte_position(quicktim
  
  void quicktime_read_pascal(quicktime_t *file, char *data)
  {
 -	char len = quicktime_read_char(file);
-+	unsigned char len = quicktime_read_char(file);
+-	quicktime_read_data(file, (uint8_t*)data, len);
- 	quicktime_read_data(file, (uint8_t*)data, len);
+-	data[(int)len] = 0;
- 	data[(int)len] = 0;
++	int len = quicktime_read_char(file);
++	if ((len > 0) && (len < 256)) {
++          /* data[] is expected to be 256 bytes long */
++          quicktime_read_data(file, (uint8_t*)data, len);
++          data[len] = 0;
++        } else {
++          data[0] = 0;
++        }
  }
+ 
+ void quicktime_write_pascal(quicktime_t *file, char *data)

libquicktime.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Jul  4 10:28:44 UTC 2017 - kstreitova@suse.com
+
+- adjust libquicktime-1.2.4-integer_overflow.patch to prevent
+  endless loop when there are less than 256 bytes to read
+  [bsc#1022805] CVE-2016-2399
+
 -------------------------------------------------------------------
 Fri Jun 23 21:58:19 UTC 2017 - kstreitova@suse.com