9a5849cf67
Fix heap buffer overflows when writing strings in binheader
Add to-be-upstreamed patches from openSUSE:
0001-FLAC-Fix-a-buffer-read-overrun.patch
0002-src-flac.c-Fix-a-buffer-read-overflow.patch
0010-src-aiff.c-Fix-a-buffer-read-overflow.patch
Ref:
RH bug: https://bugzilla.redhat.com/show_bug.cgi?id=1483140
Upstream Github issue: https://github.com/erikd/libsndfile/issues/292
Upstream CVE-2017-12562 patch commit: cf7a8182c2
24 lines
790 B
Diff
24 lines
790 B
Diff
From f833c53cb596e9e1792949f762e0b33661822748 Mon Sep 17 00:00:00 2001
|
|
From: Erik de Castro Lopo <erikd@mega-nerd.com>
|
|
Date: Tue, 23 May 2017 20:15:24 +1000
|
|
Subject: [PATCH] src/aiff.c: Fix a buffer read overflow
|
|
|
|
Secunia Advisory SA76717.
|
|
|
|
Found by: Laurent Delosieres, Secunia Research at Flexera Software
|
|
---
|
|
src/aiff.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
--- a/src/aiff.c
|
|
+++ b/src/aiff.c
|
|
@@ -1905,7 +1905,7 @@ aiff_read_chanmap (SF_PRIVATE * psf, uns
|
|
psf_binheader_readf (psf, "j", dword - bytesread) ;
|
|
|
|
if (map_info->channel_map != NULL)
|
|
- { size_t chanmap_size = psf->sf.channels * sizeof (psf->channel_map [0]) ;
|
|
+ { size_t chanmap_size = SF_MIN (psf->sf.channels, layout_tag & 0xffff) * sizeof (psf->channel_map [0]) ;
|
|
|
|
free (psf->channel_map) ;
|
|
|