# --- T2-COPYRIGHT-NOTE-BEGIN --- # This copyright note is auto-generated by ./scripts/Create-CopyPatch. # # T2 SDE: package/.../libsndfile/CVE-2007-4974.patch # Copyright (C) 2007 The T2 SDE Project # # More information can be found in the files COPYING and README. # # This patch file is dual-licensed. It is available under the license the # patched project is licensed under, as long as it is an OpenSource license # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 2 of the License, or (at your option) any later # version. # --- T2-COPYRIGHT-NOTE-END --- diff -Nur libsndfile-1.0.17-orig/src/flac.c libsndfile-1.0.17/src/flac.c --- libsndfile-1.0.17-orig/src/flac.c 2007-11-04 19:40:01.000000000 +0000 +++ libsndfile-1.0.17/src/flac.c 2007-11-04 19:40:40.000000000 +0000 @@ -50,7 +50,7 @@ ** Private static functions. */ -#define ENC_BUFFER_SIZE 4096 +#define ENC_BUFFER_SIZE 8192 typedef enum { PFLAC_PCM_SHORT = 0, @@ -172,6 +172,17 @@ const FLAC__int32* const *buffer = pflac->wbuffer ; unsigned i = 0, j, offset ; + /* + ** frame->header.blocksize is variable and we're using a constant blocksize + ** of FLAC__MAX_BLOCK_SIZE. + ** Check our assumptions here. + */ + if (frame->header.blocksize > FLAC__MAX_BLOCK_SIZE) + { psf_log_printf (psf, "Ooops : frame->header.blocksize (%d) > FLAC__MAX_BLOCK_SIZE (%d)\n", __func__, __LINE__, frame->header.blocksize, FLAC__MAX_BLOCK_SIZE) ; + psf->error = SFE_INTERNAL ; + return 0 ; + } ; + if (pflac->ptr == NULL) { /* ** Not sure why this code is here and not elsewhere. @@ -180,7 +191,7 @@ pflac->bufferbackup = SF_TRUE ; for (i = 0 ; i < frame->header.channels ; i++) { if (pflac->rbuffer [i] == NULL) - pflac->rbuffer [i] = calloc (frame->header.blocksize, sizeof (FLAC__int32)) ; + pflac->rbuffer [i] = calloc (FLAC__MAX_BLOCK_SIZE, sizeof (FLAC__int32)) ; memcpy (pflac->rbuffer [i], buffer [i], frame->header.blocksize * sizeof (FLAC__int32)) ; } ; pflac->wbuffer = (const FLAC__int32* const*) pflac->rbuffer ;