Imported Debian patch 1.0.16-2+etch2
Nico Golde authored 14 years ago
IOhannes m zmölnig committed 7 years ago
0 | libsndfile (1.0.16-2+etch2) oldstable-security; urgency=high | |
1 | ||
2 | * Non-maintainer upload by the Security Team. | |
3 | * This update addresses the following security issues: | |
4 | - CVE-2009-1788: heap-based buffer overflow in voc_read_header | |
5 | leading to arbitrary code execution via crafted VOC headers. | |
6 | - CVE-2009-1791: heap-based buffer overflow in aiff_read_header | |
7 | leading to arbitrary code execution via crafted AIFF headers. | |
8 | (Closes: #528650). | |
9 | ||
10 | -- Nico Golde <nion@debian.org> Fri, 12 Jun 2009 11:54:53 +0000 | |
11 | ||
0 | 12 | libsndfile (1.0.16-2+etch1) oldstable-security; urgency=high |
1 | 13 | |
2 | 14 | * Non-maintainer upload by the Security Team. |
691 | 691 | psf_log_printf (psf, " Count : %d\n", mark_count) ; |
692 | 692 | |
693 | 693 | for (n = 0 ; n < mark_count && bytesread < dword ; n++) |
694 | { bytesread += psf_binheader_readf (psf, "E241", &mark_id, &position, &pstr_len) ; | |
695 | psf_log_printf (psf, " Mark ID : %u\n Position : %u\n", mark_id, position) ; | |
696 | ||
697 | pstr_len += (pstr_len & 1) + 1 ; /* fudgy, fudgy, hack, hack */ | |
698 | ||
699 | bytesread += psf_binheader_readf (psf, "b", psf->u.scbuf, pstr_len) ; | |
700 | psf_log_printf (psf, " Name : %s\n", psf->u.scbuf) ; | |
694 | { unsigned int pstr_len ; | |
695 | unsigned char ch ; | |
696 | ||
697 | bytesread += psf_binheader_readf (psf, "E241", &mark_id, &position, &ch) ; | |
698 | psf_log_printf (psf, " Mark ID : %u\n Position : %u\n", mark_id, position) ; | |
699 | ||
700 | pstr_len = (ch & 1) ? ch : ch + 1 ; | |
701 | ||
702 | if (pstr_len < sizeof (psf->u.scbuf) - 1) | |
703 | { bytesread += psf_binheader_readf (psf, "b", psf->u.scbuf, pstr_len) ; | |
704 | psf->u.scbuf [pstr_len] = 0 ; | |
705 | } | |
706 | else | |
707 | { unsigned int read_len = pstr_len - (sizeof (psf->u.scbuf) - 1) ; | |
708 | bytesread += psf_binheader_readf (psf, "bj", psf->u.scbuf, read_len, pstr_len - read_len) ; | |
709 | psf->u.scbuf [sizeof (psf->u.scbuf) - 1] = 0 ; | |
710 | } | |
711 | ||
712 | psf_log_printf (psf, " Name : %s\n", psf->u.scbuf) ; | |
701 | 713 | |
702 | 714 | markstr [n].markerID = mark_id ; |
703 | 715 | markstr [n].position = position ; |
208 | 208 | |
209 | 209 | psf_log_printf (psf, " ASCII : %d\n", size) ; |
210 | 210 | |
211 | if (size < sizeof (psf->header) - 1) | |
212 | { offset += psf_binheader_readf (psf, "b", psf->header, size) ; | |
213 | psf->header [size] = 0 ; | |
214 | psf_log_printf (psf, " text : %s\n", psf->header) ; | |
215 | continue ; | |
216 | } | |
217 | ||
211 | 218 | offset += psf_binheader_readf (psf, "b", psf->header, size) ; |
212 | 219 | psf->header [size] = 0 ; |
213 | 220 | psf_log_printf (psf, " text : %s\n", psf->header) ; |