Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 9 Sep 2015 20:07:02 +0000 (UTC)
From:      Christian Weisgerber <naddy@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r396532 - in head/audio/vorbis-tools: . files
Message-ID:  <201509092007.t89K72aS070457@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: naddy
Date: Wed Sep  9 20:07:01 2015
New Revision: 396532
URL: https://svnweb.freebsd.org/changeset/ports/396532

Log:
  Fix oggenc buffer overflow.
  
  PR:		202941
  Submitted by:	junovitch
  Obtained from:	https://trac.xiph.org/ticket/2212
  Security:	a35f415d-572a-11e5-b0a4-f8b156b6dcc8
  Security:	CVE-2015-6749
  MFH:		2015Q3

Added:
  head/audio/vorbis-tools/files/patch-oggenc_audio.c   (contents, props changed)
Modified:
  head/audio/vorbis-tools/Makefile

Modified: head/audio/vorbis-tools/Makefile
==============================================================================
--- head/audio/vorbis-tools/Makefile	Wed Sep  9 19:53:44 2015	(r396531)
+++ head/audio/vorbis-tools/Makefile	Wed Sep  9 20:07:01 2015	(r396532)
@@ -3,7 +3,7 @@
 
 PORTNAME=	vorbis-tools
 PORTVERSION=	1.4.0
-PORTREVISION=	8
+PORTREVISION=	9
 PORTEPOCH=	3
 CATEGORIES=	audio
 MASTER_SITES=	http://downloads.xiph.org/releases/vorbis/

Added: head/audio/vorbis-tools/files/patch-oggenc_audio.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/audio/vorbis-tools/files/patch-oggenc_audio.c	Wed Sep  9 20:07:01 2015	(r396532)
@@ -0,0 +1,26 @@
+--- oggenc/audio.c.orig	2010-03-24 08:27:14 UTC
++++ oggenc/audio.c
+@@ -245,8 +245,8 @@ static int aiff_permute_matrix[6][6] = 
+ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
+ {
+     int aifc; /* AIFC or AIFF? */
+-    unsigned int len;
+-    unsigned char *buffer;
++    unsigned int len, readlen;
++    unsigned char buffer[22];
+     unsigned char buf2[8];
+     aiff_fmt format;
+     aifffile *aiff = malloc(sizeof(aifffile));
+@@ -269,9 +269,9 @@ int aiff_open(FILE *in, oe_enc_opt *opt,
+         return 0; /* Weird common chunk */
+     }
+ 
+-    buffer = alloca(len);
+-
+-    if(fread(buffer,1,len,in) < len)
++    readlen = len < sizeof(buffer) ? len : sizeof(buffer);
++    if(fread(buffer,1,readlen,in) < readlen ||
++       (len > readlen && !seek_forward(in, len-readlen)))
+     {
+         fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n"));
+         return 0;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201509092007.t89K72aS070457>