Accepting request 633734 from home:mcalabkova:branches:multimedia:libs

- bsc #1103676: CVE-2018-1000223: soundtouch: Heap-based buffer overflow added patch fix-buffer-overflow.patch OBS-URL: https://build.opensuse.org/request/show/633734 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/soundtouch?expand=0&rev=28
2018-09-06 13:14:45 +00:00 · 2018-09-06 13:14:45 +00:00 · f4cb7977c0
commit f4cb7977c0
parent ef2135529e
3 changed files with 52 additions and 0 deletions
--- a/fix-buffer-overflow.patch
+++ b/fix-buffer-overflow.patch
@ -0,0 +1,44 @@
+	
+Index: soundtouch/source/SoundStretch/WavFile.cpp
+===================================================================
+--- soundtouch.orig/source/SoundStretch/WavFile.cpp
+++ soundtouch/source/SoundStretch/WavFile.cpp
+@@ -528,12 +528,16 @@ int WavInFile::readHeaderBlock()
+         // read length of the format field
+         if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
+         // swap byte order if necessary
+-        _swap32(nLen); // int format_len;
+-        header.format.format_len = nLen;
+        _swap32(nLen);
+ 
+-        // calculate how much length differs from expected
+        // calculate how much length differs from expected 
+         nDump = nLen - ((int)sizeof(header.format) - 8);
+ 
+        // verify that header length isn't smaller than expected structure
+        if ((nLen < 0) || (nDump < 0)) return -1;
+
+        header.format.format_len = nLen;
+
+         // if format_len is larger than expected, read only as much data as we've space for
+         if (nDump > 0)
+         {
+@@ -569,12 +573,16 @@ int WavInFile::readHeaderBlock()
+         // read length of the fact field
+         if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
+         // swap byte order if necessary
+-        _swap32(nLen); // int fact_len;
+-        header.fact.fact_len = nLen;
+        _swap32(nLen);
+ 
+         // calculate how much length differs from expected
+         nDump = nLen - ((int)sizeof(header.fact) - 8);
+ 
+        // verify that fact length isn't smaller than expected structure
+        if ((nLen < 0) || (nDump < 0)) return -1;
+
+        header.fact.fact_len = nLen;
+
+         // if format_len is larger than expected, read only as much data as we've space for
+         if (nDump > 0)
+         {
--- a/soundtouch.changes
+++ b/soundtouch.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Sep  6 12:29:20 UTC 2018 - Marketa Calabkova <mcalabkova@suse.com>
+
+- bsc #1103676: CVE-2018-1000223: soundtouch: Heap-based buffer overflow 
+  added patch fix-buffer-overflow.patch
+
 -------------------------------------------------------------------
 Tue Mar 13 08:44:37 UTC 2018 - jengelh@inai.de

--- a/soundtouch.spec
+++ b/soundtouch.spec
@ -32,6 +32,7 @@ BuildRequires:  automake
 BuildRequires:  gcc-c++
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
+Patch0:         fix-buffer-overflow.patch	

 %description
 SoundTouch is a C++ audio processing library that allows
@ -73,6 +74,7 @@ SoundTouch.
 tr -d '\r' <README.html >README.html~
 touch -r README.html README.html~
 mv README.html~ README.html
+%patch0 -p1

 %build
 ./bootstrap