![[BACK]](/icons/back.gif){kind=icon}
Return to patch-ac CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [cvs.NetBSD.org] / pkgsrc / audio / libaudiofile / patches|
Return to patch-ac CVS log | Up to [cvs.NetBSD.org] / pkgsrc / audio / libaudiofile / patches |
| File: [cvs.NetBSD.org] / pkgsrc / audio / libaudiofile / patches / Attic / patch-ac (download)
Revision 1.1, Wed Jan 21 15:19:27 2009 UTC (4 years, 3 months ago) by drochner
(attempt to) fix CVE-2008-5824 (buffer overflow in msadpcm.c), see Debian bug #510205, just done correctly. The IMA code might have similar problems. The code appearently can't handle stereo files correctly anyway, so bail out if >1 channel which should avoid the problem. bump PKGREVISION |
$NetBSD: patch-ac,v 1.1 2009/01/21 15:19:27 drochner Exp $
--- libaudiofile/modules/msadpcm.c.orig 2004-03-06 07:39:23.000000000 +0100
+++ libaudiofile/modules/msadpcm.c
@@ -129,8 +129,7 @@ static int ms_adpcm_decode_block (ms_adp
ms_adpcm_state *state[2];
/* Calculate the number of bytes needed for decoded data. */
- outputLength = msadpcm->samplesPerBlock * sizeof (int16_t) *
- msadpcm->track->f.channelCount;
+ outputLength = msadpcm->samplesPerBlock * sizeof (int16_t);
channelCount = msadpcm->track->f.channelCount;
@@ -180,8 +179,7 @@ static int ms_adpcm_decode_block (ms_adp
The first two samples have already been 'decoded' in
the block header.
*/
- samplesRemaining = (msadpcm->samplesPerBlock - 2) *
- msadpcm->track->f.channelCount;
+ samplesRemaining = msadpcm->samplesPerBlock - (2 * channelCount);
while (samplesRemaining > 0)
{