[BACK]Return to patch-CVE-2017-12678 CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / pkgsrc / audio / taglib / patches

File: [cvs.NetBSD.org] / pkgsrc / audio / taglib / patches / Attic / patch-CVE-2017-12678 (download)

Revision 1.1, Thu Jul 18 09:36:37 2019 UTC (20 months, 4 weeks ago) by nia
Branch: MAIN
CVS Tags: pkgsrc-2020Q4-base, pkgsrc-2020Q4, pkgsrc-2020Q3-base, pkgsrc-2020Q3, pkgsrc-2020Q2-base, pkgsrc-2020Q2, pkgsrc-2020Q1-base, pkgsrc-2020Q1, pkgsrc-2019Q4-base, pkgsrc-2019Q4, pkgsrc-2019Q3-base, pkgsrc-2019Q3
Branch point for: pkgsrc-2019Q2

taglib: Add patches from upstream's git for the following CVEs:

CVE-2017-12678 - denial-of-service
CVE-2018-11439 - information-disclosure

Bump PKGREVISION.

$NetBSD: patch-CVE-2017-12678,v 1.1 2019/07/18 09:36:37 nia Exp $

Fix CVE-2017-12678

In TagLib 1.11.1, the rebuildAggregateFrames function in id3v2framefactory.cpp
has a pointer to cast vulnerability, which allows remote attackers to cause a
denial of service or possibly have unspecified other impact via a crafted
audio file. 

Upstream commit:
https://github.com/taglib/taglib/commit/cb9f07d9dcd791b63e622da43f7b232adaec0a9a

--- taglib/mpeg/id3v2/id3v2framefactory.cpp.orig	2016-10-24 03:03:23.000000000 +0000
+++ taglib/mpeg/id3v2/id3v2framefactory.cpp
@@ -334,10 +334,11 @@ void FrameFactory::rebuildAggregateFrame
      tag->frameList("TDAT").size() == 1)
   {
     TextIdentificationFrame *tdrc =
-      static_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
+      dynamic_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
     UnknownFrame *tdat = static_cast<UnknownFrame *>(tag->frameList("TDAT").front());
 
-    if(tdrc->fieldList().size() == 1 &&
+    if(tdrc &&
+       tdrc->fieldList().size() == 1 &&
        tdrc->fieldList().front().size() == 4 &&
        tdat->data().size() >= 5)
     {