Fix vlc wav handling heap overflow. A specially crafted .WAV file could

be used to achieve that with an overly large fmt chunk. (CVE-2008-2430)

1 files changed, 43 insertions, 0 deletions

diff --git a/multimedia/vlc/patches/patch-ae b/multimedia/vlc/patches/patch-ae
new file mode 100644
index 00000000000..51701369f3e
--- /dev/null
+++ b/multimedia/vlc/patches/patch-ae
@@ -0,0 +1,43 @@
+$NetBSD: patch-ae,v 1.5 2008/07/03 21:50:02 tonnerre Exp $
+
+--- modules/demux/wav.c.orig	2008-03-23 23:41:49.000000000 +0100
++++ modules/demux/wav.c
+@@ -103,7 +103,8 @@ static int Open( vlc_object_t * p_this )
+     demux_sys_t *p_sys;
+ 
+     uint8_t     *p_peek;
+-    unsigned int i_size, i_extended;
++    uint32_t	 i_size;
++    unsigned int i_extended;
+     char        *psz_name;
+ 
+     WAVEFORMATEXTENSIBLE *p_wf_ext = NULL;
+@@ -136,7 +137,8 @@ static int Open( vlc_object_t * p_this )
+         msg_Err( p_demux, "cannot find 'fmt ' chunk" );
+         goto error;
+     }
+-    if( i_size < sizeof( WAVEFORMATEX ) - 2 )   /* XXX -2 isn't a typo */
++    i_size += 2;
++    if( i_size < sizeof( WAVEFORMATEX ) )
+     {
+         msg_Err( p_demux, "invalid 'fmt ' chunk" );
+         goto error;
+@@ -144,14 +146,15 @@ static int Open( vlc_object_t * p_this )
+     stream_Read( p_demux->s, NULL, 8 );   /* Cannot fail */
+ 
+     /* load waveformatex */
+-    p_wf_ext = malloc( __EVEN( i_size ) + 2 );
++    p_wf_ext = malloc( i_size );
+     if( p_wf_ext == NULL )
+          goto error;
+ 
+     p_wf = (WAVEFORMATEX *)p_wf_ext;
+     p_wf->cbSize = 0;
+-    if( stream_Read( p_demux->s,
+-                     p_wf, __EVEN( i_size ) ) < (int)__EVEN( i_size ) )
++    i_size -= 2;
++    if( stream_Read( p_demux->s, p_wf, i_size ) != (int)i_size
++     || ( ( i_size & 1 ) && stream_Read( p_demux->s, NULL, 1 ) != 1 ) )
+     {
+         msg_Err( p_demux, "cannot load 'fmt ' chunk" );
+         goto error;