diff options
author | eik <eik@FreeBSD.org> | 2004-07-29 05:39:53 +0800 |
---|---|---|
committer | eik <eik@FreeBSD.org> | 2004-07-29 05:39:53 +0800 |
commit | 15f32fa509966388872f19bc098024f44d75fa01 (patch) | |
tree | 451470eaa2d8a6405e0bae2ea21ccae9c9ec540f /audio/sox | |
parent | 5a7811ef3bb720f5ee346d1d4c6d95d7ec3b4064 (diff) | |
download | freebsd-ports-graphics-15f32fa509966388872f19bc098024f44d75fa01.tar.gz freebsd-ports-graphics-15f32fa509966388872f19bc098024f44d75fa01.tar.zst freebsd-ports-graphics-15f32fa509966388872f19bc098024f44d75fa01.zip |
Fix SoX buffer overflows when handling .WAV files (CAN-2004-0557)
Buffer overflow when parsing .wav file headers in sox. The IFF chunks
concerned have a 2-byte size field, but sox reads them into a 256-byte
buffer.
portaudit reference:
<http://www.freebsd.org/ports/portaudit/3e4ffe76-e0d4-11d8-9b0a-000347a4fa7d.html>
PR: 69725
Submitted by: Dan Nelson <dnelson@allantgroup.com> (maintainer)
Diffstat (limited to 'audio/sox')
-rw-r--r-- | audio/sox/Makefile | 2 | ||||
-rw-r--r-- | audio/sox/files/patch-wav.c | 24 |
2 files changed, 25 insertions, 1 deletions
diff --git a/audio/sox/Makefile b/audio/sox/Makefile index 0936d55e2a5..4b10f7a15be 100644 --- a/audio/sox/Makefile +++ b/audio/sox/Makefile @@ -7,7 +7,7 @@ PORTNAME= sox PORTVERSION= 12.17.4 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= audio MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= sox diff --git a/audio/sox/files/patch-wav.c b/audio/sox/files/patch-wav.c new file mode 100644 index 00000000000..2e760088825 --- /dev/null +++ b/audio/sox/files/patch-wav.c @@ -0,0 +1,24 @@ +--- wav.c.old 2002-12-31 04:19:22.000000000 +0100 ++++ wav.c 2004-07-18 19:25:46.000000000 +0200 +@@ -917,6 +917,10 @@ + } else if(strncmp(magic,"ICRD",4) == 0){ + st_readdw(ft,&len); + len = (len + 1) & ~1; ++ if (len > 254) { ++ fprintf(stderr, "Possible buffer overflow hack attack (ICRD)!\n"); ++ exit(109); ++ } + st_reads(ft,text,len); + if (strlen(ft->comment) + strlen(text) < 254) + { +@@ -926,6 +930,10 @@ + } else if(strncmp(magic,"ISFT",4) == 0){ + st_readdw(ft,&len); + len = (len + 1) & ~1; ++ if (len > 254) { ++ fprintf(stderr, "Possible buffer overflow hack attack (ISFT)!\n"); ++ exit(110); ++ } + st_reads(ft,text,len); + if (strlen(ft->comment) + strlen(text) < 254) + { |