aboutsummaryrefslogtreecommitdiffstats
path: root/audio/sox
diff options
context:
space:
mode:
authoreik <eik@FreeBSD.org>2004-07-29 05:39:53 +0800
committereik <eik@FreeBSD.org>2004-07-29 05:39:53 +0800
commit15f32fa509966388872f19bc098024f44d75fa01 (patch)
tree451470eaa2d8a6405e0bae2ea21ccae9c9ec540f /audio/sox
parent5a7811ef3bb720f5ee346d1d4c6d95d7ec3b4064 (diff)
downloadfreebsd-ports-graphics-15f32fa509966388872f19bc098024f44d75fa01.tar.gz
freebsd-ports-graphics-15f32fa509966388872f19bc098024f44d75fa01.tar.zst
freebsd-ports-graphics-15f32fa509966388872f19bc098024f44d75fa01.zip
Fix SoX buffer overflows when handling .WAV files (CAN-2004-0557)
Buffer overflow when parsing .wav file headers in sox. The IFF chunks concerned have a 2-byte size field, but sox reads them into a 256-byte buffer. portaudit reference: <http://www.freebsd.org/ports/portaudit/3e4ffe76-e0d4-11d8-9b0a-000347a4fa7d.html> PR: 69725 Submitted by: Dan Nelson <dnelson@allantgroup.com> (maintainer)
Diffstat (limited to 'audio/sox')
-rw-r--r--audio/sox/Makefile2
-rw-r--r--audio/sox/files/patch-wav.c24
2 files changed, 25 insertions, 1 deletions
diff --git a/audio/sox/Makefile b/audio/sox/Makefile
index 0936d55e2a5..4b10f7a15be 100644
--- a/audio/sox/Makefile
+++ b/audio/sox/Makefile
@@ -7,7 +7,7 @@
PORTNAME= sox
PORTVERSION= 12.17.4
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= audio
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= sox
diff --git a/audio/sox/files/patch-wav.c b/audio/sox/files/patch-wav.c
new file mode 100644
index 00000000000..2e760088825
--- /dev/null
+++ b/audio/sox/files/patch-wav.c
@@ -0,0 +1,24 @@
+--- wav.c.old 2002-12-31 04:19:22.000000000 +0100
++++ wav.c 2004-07-18 19:25:46.000000000 +0200
+@@ -917,6 +917,10 @@
+ } else if(strncmp(magic,"ICRD",4) == 0){
+ st_readdw(ft,&len);
+ len = (len + 1) & ~1;
++ if (len > 254) {
++ fprintf(stderr, "Possible buffer overflow hack attack (ICRD)!\n");
++ exit(109);
++ }
+ st_reads(ft,text,len);
+ if (strlen(ft->comment) + strlen(text) < 254)
+ {
+@@ -926,6 +930,10 @@
+ } else if(strncmp(magic,"ISFT",4) == 0){
+ st_readdw(ft,&len);
+ len = (len + 1) & ~1;
++ if (len > 254) {
++ fprintf(stderr, "Possible buffer overflow hack attack (ISFT)!\n");
++ exit(110);
++ }
+ st_reads(ft,text,len);
+ if (strlen(ft->comment) + strlen(text) < 254)
+ {