Attachment 131163 Details for Bug 192834 – libsndfile-1.0.17-flac-buffer-overflow.patch

[patch] libsndfile-1.0.17-flac-buffer-overflow.patch

libsndfile-1.0.17-flac-buffer-overflow.patch (text/plain), 1.40 KB, created by Robert Buchholz (RETIRED) on 2007-09-17 16:54:31 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Robert Buchholz (RETIRED)

Created: 2007-09-17 16:54:31 UTC

Size: 1.40 KB

patch

obsolete

>Index: libsndfile-1.0.17/src/flac.c
>===================================================================
>--- libsndfile-1.0.17.orig/src/flac.c
>+++ libsndfile-1.0.17/src/flac.c
>@@ -57,7 +57,7 @@ flac_open (SF_PRIVATE *psf)
> ** Private static functions.
> */
> 
>-#define ENC_BUFFER_SIZE 4096
>+#define ENC_BUFFER_SIZE 8192
> 
> typedef enum
> {	PFLAC_PCM_SHORT = 0,
>@@ -204,13 +204,24 @@ flac_buffer_copy (SF_PRIVATE *psf)
> 
> 	if (pflac->ptr == NULL)
> 	{	/*
>+		**	frame->header.blocksize is variable and we're using a constant blocksize
>+		**	of FLAC__MAX_BLOCK_SIZE.
>+		**	Check our assumptions here.
>+		*/
>+		if (frame->header.blocksize > FLAC__MAX_BLOCK_SIZE)
>+		{	psf_log_printf (psf, "Ooops : frame->header.blocksize (%d) > FLAC__MAX_BLOCK_SIZE (%d)\n", __func__, __LINE__, frame->header.blocksize, FLAC__MAX_BLOCK_SIZE) ;
>+			psf->error = SFE_INTERNAL ;
>+			return 0 ;
>+			} ;
>+
>+		/*
> 		**	Not sure why this code is here and not elsewhere.
> 		**	Removing it causes valgrind errors.
> 		*/
> 		pflac->bufferbackup = SF_TRUE ;
> 		for (i = 0 ; i < frame->header.channels ; i++)
> 		{	if (pflac->rbuffer [i] == NULL)
>-				pflac->rbuffer [i] = calloc (frame->header.blocksize, sizeof (FLAC__int32)) ;
>+				pflac->rbuffer [i] = calloc (FLAC__MAX_BLOCK_SIZE, sizeof (FLAC__int32)) ;
> 			memcpy (pflac->rbuffer [i], buffer [i], frame->header.blocksize * sizeof (FLAC__int32)) ;
> 			} ;
> 		pflac->wbuffer = (const FLAC__int32* const*) pflac->rbuffer ;

Actions: View | Diff

Attachments on bug 192834: 131163 | 131171 | 131269 | 132116