From 62253534ba684d98da8254151d5e6de716cc1151 Mon Sep 17 00:00:00 2001 From: drochner Date: Wed, 21 Jan 2009 15:19:27 +0000 Subject: (attempt to) fix CVE-2008-5824 (buffer overflow in msadpcm.c), see Debian bug #510205, just done correctly. The IMA code might have similar problems. The code appearently can't handle stereo files correctly anyway, so bail out if >1 channel which should avoid the problem. bump PKGREVISION --- audio/libaudiofile/Makefile | 4 ++-- audio/libaudiofile/distinfo | 4 +++- audio/libaudiofile/patches/patch-ac | 24 ++++++++++++++++++++++++ audio/libaudiofile/patches/patch-ad | 27 +++++++++++++++++++++++++++ 4 files changed, 56 insertions(+), 3 deletions(-) create mode 100644 audio/libaudiofile/patches/patch-ac create mode 100644 audio/libaudiofile/patches/patch-ad (limited to 'audio/libaudiofile') diff --git a/audio/libaudiofile/Makefile b/audio/libaudiofile/Makefile index 9b6219fab28..d40f1b12813 100644 --- a/audio/libaudiofile/Makefile +++ b/audio/libaudiofile/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.42 2008/05/25 14:45:16 tron Exp $ +# $NetBSD: Makefile,v 1.43 2009/01/21 15:19:27 drochner Exp $ DISTNAME= audiofile-0.2.6 PKGNAME= lib${DISTNAME} -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= audio MASTER_SITES= http://www.68k.org/~michael/audiofile/ \ ${MASTER_SITE_GNOME:=sources/audiofile/0.2/} diff --git a/audio/libaudiofile/distinfo b/audio/libaudiofile/distinfo index 078a63cd472..4b26e686f7a 100644 --- a/audio/libaudiofile/distinfo +++ b/audio/libaudiofile/distinfo @@ -1,7 +1,9 @@ -$NetBSD: distinfo,v 1.11 2005/04/27 08:59:41 wiz Exp $ +$NetBSD: distinfo,v 1.12 2009/01/21 15:19:27 drochner Exp $ SHA1 (audiofile-0.2.6.tar.gz) = 94a6ab8e5122bc1971cf186e5a52d032811c9bc5 RMD160 (audiofile-0.2.6.tar.gz) = b61fbc856768a5838ca5c0fad602f35205e8d037 Size (audiofile-0.2.6.tar.gz) = 374688 bytes SHA1 (patch-aa) = 7c498a63fe055f1f7e16f45f655341a9b6708f71 SHA1 (patch-ab) = cd292a827aa18b9839305b2c62c3dbd526384430 +SHA1 (patch-ac) = 7f3f10988bb198a1d673147098fee89de3dbcde4 +SHA1 (patch-ad) = 0986c009c104c18c5a85c847c53213756cf0c8a5 diff --git a/audio/libaudiofile/patches/patch-ac b/audio/libaudiofile/patches/patch-ac new file mode 100644 index 00000000000..c2ba61aceeb --- /dev/null +++ b/audio/libaudiofile/patches/patch-ac @@ -0,0 +1,24 @@ +$NetBSD: patch-ac,v 1.1 2009/01/21 15:19:27 drochner Exp $ + +--- libaudiofile/modules/msadpcm.c.orig 2004-03-06 07:39:23.000000000 +0100 ++++ libaudiofile/modules/msadpcm.c +@@ -129,8 +129,7 @@ static int ms_adpcm_decode_block (ms_adp + ms_adpcm_state *state[2]; + + /* Calculate the number of bytes needed for decoded data. */ +- outputLength = msadpcm->samplesPerBlock * sizeof (int16_t) * +- msadpcm->track->f.channelCount; ++ outputLength = msadpcm->samplesPerBlock * sizeof (int16_t); + + channelCount = msadpcm->track->f.channelCount; + +@@ -180,8 +179,7 @@ static int ms_adpcm_decode_block (ms_adp + The first two samples have already been 'decoded' in + the block header. + */ +- samplesRemaining = (msadpcm->samplesPerBlock - 2) * +- msadpcm->track->f.channelCount; ++ samplesRemaining = msadpcm->samplesPerBlock - (2 * channelCount); + + while (samplesRemaining > 0) + { diff --git a/audio/libaudiofile/patches/patch-ad b/audio/libaudiofile/patches/patch-ad new file mode 100644 index 00000000000..3fb48eb37c6 --- /dev/null +++ b/audio/libaudiofile/patches/patch-ad @@ -0,0 +1,27 @@ +$NetBSD: patch-ad,v 1.1 2009/01/21 15:19:27 drochner Exp $ + +--- libaudiofile/wave.c.orig 2004-03-06 07:39:23.000000000 +0100 ++++ libaudiofile/wave.c +@@ -220,7 +220,8 @@ static status ParseFormat (AFfilehandle + extraByteCount = LENDIAN_TO_HOST_INT16(extraByteCount); + + af_fread(&samplesPerBlock, 1, 2, fp); +- samplesPerBlock = LENDIAN_TO_HOST_INT16(samplesPerBlock); ++ samplesPerBlock = LENDIAN_TO_HOST_INT16(samplesPerBlock) ++ * track->f.channelCount; + + af_fread(&numCoefficients, 1, 2, fp); + numCoefficients = LENDIAN_TO_HOST_INT16(numCoefficients); +@@ -281,6 +282,12 @@ static status ParseFormat (AFfilehandle + u_int16_t bitsPerSample, extraByteCount, + samplesPerBlock; + ++ if (track->f.channelCount != 1) { ++ _af_error(AF_BAD_CHANNELS, ++ "WAVE file with IMA compression: " ++ "can only handle 1 channel"); ++ } ++ + af_fread(&bitsPerSample, 1, 2, fp); + bitsPerSample = LENDIAN_TO_HOST_INT16(bitsPerSample); + -- cgit v1.2.3