forked from pool/soundtouch
f4cb7977c0
- bsc #1103676: CVE-2018-1000223: soundtouch: Heap-based buffer overflow added patch fix-buffer-overflow.patch OBS-URL: https://build.opensuse.org/request/show/633734 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/soundtouch?expand=0&rev=28
45 lines
1.7 KiB
Diff
45 lines
1.7 KiB
Diff
|
|
Index: soundtouch/source/SoundStretch/WavFile.cpp
|
|
===================================================================
|
|
--- soundtouch.orig/source/SoundStretch/WavFile.cpp
|
|
+++ soundtouch/source/SoundStretch/WavFile.cpp
|
|
@@ -528,12 +528,16 @@ int WavInFile::readHeaderBlock()
|
|
// read length of the format field
|
|
if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
|
|
// swap byte order if necessary
|
|
- _swap32(nLen); // int format_len;
|
|
- header.format.format_len = nLen;
|
|
+ _swap32(nLen);
|
|
|
|
- // calculate how much length differs from expected
|
|
+ // calculate how much length differs from expected
|
|
nDump = nLen - ((int)sizeof(header.format) - 8);
|
|
|
|
+ // verify that header length isn't smaller than expected structure
|
|
+ if ((nLen < 0) || (nDump < 0)) return -1;
|
|
+
|
|
+ header.format.format_len = nLen;
|
|
+
|
|
// if format_len is larger than expected, read only as much data as we've space for
|
|
if (nDump > 0)
|
|
{
|
|
@@ -569,12 +573,16 @@ int WavInFile::readHeaderBlock()
|
|
// read length of the fact field
|
|
if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
|
|
// swap byte order if necessary
|
|
- _swap32(nLen); // int fact_len;
|
|
- header.fact.fact_len = nLen;
|
|
+ _swap32(nLen);
|
|
|
|
// calculate how much length differs from expected
|
|
nDump = nLen - ((int)sizeof(header.fact) - 8);
|
|
|
|
+ // verify that fact length isn't smaller than expected structure
|
|
+ if ((nLen < 0) || (nDump < 0)) return -1;
|
|
+
|
|
+ header.fact.fact_len = nLen;
|
|
+
|
|
// if format_len is larger than expected, read only as much data as we've space for
|
|
if (nDump > 0)
|
|
{
|