From a7988bb31cc06d226e4e9be95bc400e85aaa4847 Mon Sep 17 00:00:00 2001
From: bsiegert <bsiegert@pkgsrc.org>
Date: Tue, 29 Dec 2015 15:12:20 +0000
Subject: Fix CVE-2015-6749 in vorbis-tools: Buffer overflow in the aiff_open
 function in oggenc/audio.c in vorbis-tools 1.4.0 and earlier allows remote
 attackers to cause a denial of service (crash) via a crafted AIFF file.

Bump pkgrevision.
---
 audio/vorbis-tools/Makefile                     |  4 +--
 audio/vorbis-tools/distinfo                     |  3 +-
 audio/vorbis-tools/patches/patch-oggenc_audio.c | 40 +++++++++++++++++++++++++
 3 files changed, 44 insertions(+), 3 deletions(-)
 create mode 100644 audio/vorbis-tools/patches/patch-oggenc_audio.c

diff --git a/audio/vorbis-tools/Makefile b/audio/vorbis-tools/Makefile
index 837bb4bd406..1bfbec0bea8 100644
--- a/audio/vorbis-tools/Makefile
+++ b/audio/vorbis-tools/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.61 2015/03/21 19:06:54 bsiegert Exp $
+# $NetBSD: Makefile,v 1.62 2015/12/29 15:12:20 bsiegert Exp $
 
 DISTNAME=	vorbis-tools-1.4.0
-PKGREVISION=	5
+PKGREVISION=	6
 CATEGORIES=	audio
 MASTER_SITES=	http://downloads.xiph.org/releases/vorbis/
 
diff --git a/audio/vorbis-tools/distinfo b/audio/vorbis-tools/distinfo
index cdb05ccafa0..d7407c3aefb 100644
--- a/audio/vorbis-tools/distinfo
+++ b/audio/vorbis-tools/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.25 2015/11/03 01:12:53 agc Exp $
+$NetBSD: distinfo,v 1.26 2015/12/29 15:12:20 bsiegert Exp $
 
 SHA1 (vorbis-tools-1.4.0.tar.gz) = fc6a820bdb5ad6fcac074721fab5c3f96eaf6562
 RMD160 (vorbis-tools-1.4.0.tar.gz) = ff21e5c9456ac0a82b8eda4e53931db8522a2ccd
@@ -8,3 +8,4 @@ SHA1 (patch-aa) = ea37946fb3a227d91eeb3ea94a9a7c9f8a3ef021
 SHA1 (patch-ab) = 00c0a5a9388baf79fd944e12cda1da65e2e8676c
 SHA1 (patch-ac) = 781ad97014c81f9fd40166cc29112247ef4acd6d
 SHA1 (patch-ae) = 60ca36c35325e4228ea7f7f5b3a60cd57b56b0cd
+SHA1 (patch-oggenc_audio.c) = 358aa58c2da15ce96db5163eec914df6fda2d9b2
diff --git a/audio/vorbis-tools/patches/patch-oggenc_audio.c b/audio/vorbis-tools/patches/patch-oggenc_audio.c
new file mode 100644
index 00000000000..6b50e71d264
--- /dev/null
+++ b/audio/vorbis-tools/patches/patch-oggenc_audio.c
@@ -0,0 +1,40 @@
+$NetBSD: patch-oggenc_audio.c,v 1.1 2015/12/29 15:12:20 bsiegert Exp $
+
+From 04815d3e1bfae3a6cdfb2c25358a5a72b61299f7 Mon Sep 17 00:00:00 2001
+From: Mark Harris <mark.hsj@gmail.com>
+Date: Sun, 30 Aug 2015 05:54:46 -0700
+Subject: [PATCH] oggenc: Fix large alloca on bad AIFF input
+
+Fixes https://trac.xiph.org/ticket/2212
+---
+ oggenc/audio.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/oggenc/audio.c b/oggenc/audio.c
+index 477da8c..4921fb9 100644
+--- oggenc/audio.c
++++ oggenc/audio.c
+@@ -245,8 +245,8 @@ static int aiff_permute_matrix[6][6] =
+ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
+ {
+     int aifc; /* AIFC or AIFF? */
+-    unsigned int len;
+-    unsigned char *buffer;
++    unsigned int len, readlen;
++    unsigned char buffer[22];
+     unsigned char buf2[8];
+     aiff_fmt format;
+     aifffile *aiff = malloc(sizeof(aifffile));
+@@ -269,9 +269,9 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
+         return 0; /* Weird common chunk */
+     }
+ 
+-    buffer = alloca(len);
+-
+-    if(fread(buffer,1,len,in) < len)
++    readlen = len < sizeof(buffer) ? len : sizeof(buffer);
++    if(fread(buffer,1,readlen,in) < readlen ||
++       (len > readlen && !seek_forward(in, len-readlen)))
+     {
+         fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n"));
+         return 0;
-- 
cgit v1.2.3