Commit 479d988a2d676ab60aec354eb79f2196f081963b - libsndfile

Imported Debian patch 1.0.16-2+etch2 Nico Golde authored 14 years ago IOhannes m zmölnig committed 7 years ago

3 changed file(s) with 38 addition(s) and 7 deletion(s). Raw diff Collapse all Expand all

+12

-0

debian/changelog less more

	0	libsndfile (1.0.16-2+etch2) oldstable-security; urgency=high
	1
	2	* Non-maintainer upload by the Security Team.
	3	* This update addresses the following security issues:
	4	- CVE-2009-1788: heap-based buffer overflow in voc_read_header
	5	leading to arbitrary code execution via crafted VOC headers.
	6	- CVE-2009-1791: heap-based buffer overflow in aiff_read_header
	7	leading to arbitrary code execution via crafted AIFF headers.
	8	(Closes: #528650).
	9
	10	-- Nico Golde <nion@debian.org> Fri, 12 Jun 2009 11:54:53 +0000
	11
0	12	libsndfile (1.0.16-2+etch1) oldstable-security; urgency=high
1	13
2	14	* Non-maintainer upload by the Security Team.

+19

-7

src/aiff.c less more

691	691	psf_log_printf (psf, " Count : %d\n", mark_count) ;
692	692
693	693	for (n = 0 ; n < mark_count && bytesread < dword ; n++)
694		{ bytesread += psf_binheader_readf (psf, "E241", &mark_id, &position, &pstr_len) ;
695		psf_log_printf (psf, " Mark ID : %u\n Position : %u\n", mark_id, position) ;
696
697		pstr_len += (pstr_len & 1) + 1 ; /* fudgy, fudgy, hack, hack */
698
699		bytesread += psf_binheader_readf (psf, "b", psf->u.scbuf, pstr_len) ;
700		psf_log_printf (psf, " Name : %s\n", psf->u.scbuf) ;
	694	{ unsigned int pstr_len ;
	695	unsigned char ch ;
	696
	697	bytesread += psf_binheader_readf (psf, "E241", &mark_id, &position, &ch) ;
	698	psf_log_printf (psf, " Mark ID : %u\n Position : %u\n", mark_id, position) ;
	699
	700	pstr_len = (ch & 1) ? ch : ch + 1 ;
	701
	702	if (pstr_len < sizeof (psf->u.scbuf) - 1)
	703	{ bytesread += psf_binheader_readf (psf, "b", psf->u.scbuf, pstr_len) ;
	704	psf->u.scbuf [pstr_len] = 0 ;
	705	}
	706	else
	707	{ unsigned int read_len = pstr_len - (sizeof (psf->u.scbuf) - 1) ;
	708	bytesread += psf_binheader_readf (psf, "bj", psf->u.scbuf, read_len, pstr_len - read_len) ;
	709	psf->u.scbuf [sizeof (psf->u.scbuf) - 1] = 0 ;
	710	}
	711
	712	psf_log_printf (psf, " Name : %s\n", psf->u.scbuf) ;
701	713
702	714	markstr [n].markerID = mark_id ;
703	715	markstr [n].position = position ;

-0

src/voc.c less more

208	208
209	209	psf_log_printf (psf, " ASCII : %d\n", size) ;
210	210
	211	if (size < sizeof (psf->header) - 1)
	212	{ offset += psf_binheader_readf (psf, "b", psf->header, size) ;
	213	psf->header [size] = 0 ;
	214	psf_log_printf (psf, " text : %s\n", psf->header) ;
	215	continue ;
	216	}
	217
211	218	offset += psf_binheader_readf (psf, "b", psf->header, size) ;
212	219	psf->header [size] = 0 ;
213	220	psf_log_printf (psf, " text : %s\n", psf->header) ;