Date: Thu, 10 Sep 2015 19:46:30 +0000 (UTC) From: Christian Weisgerber <naddy@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r396600 - in head/audio/opus-tools: . files Message-ID: <201509101946.t8AJkU1a062121@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: naddy Date: Thu Sep 10 19:46:30 2015 New Revision: 396600 URL: https://svnweb.freebsd.org/changeset/ports/396600 Log: Fix opusenc buffer overflow, channel integer overflow, and division by zero. (Same code as vorbis-tools oggenc.) PR: 202941 Obtained from: https://trac.xiph.org/ticket/2212 Obtained from: https://trac.xiph.org/changeset/19117 Obtained from: Fedora vorbis-tools Git (commit 63a1a62d) Security: CVE-2015-6749 Security: CVE-2014-9638 Security: CVE-2014-9639 Security: a35f415d-572a-11e5-b0a4-f8b156b6dcc8 MFH: 2015Q3 Added: head/audio/opus-tools/files/patch-src_audio-in.c (contents, props changed) Modified: head/audio/opus-tools/Makefile Modified: head/audio/opus-tools/Makefile ============================================================================== --- head/audio/opus-tools/Makefile Thu Sep 10 19:42:05 2015 (r396599) +++ head/audio/opus-tools/Makefile Thu Sep 10 19:46:30 2015 (r396600) @@ -2,7 +2,7 @@ PORTNAME= opus-tools PORTVERSION= 0.1.9 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= audio MASTER_SITES= http://downloads.xiph.org/releases/opus/ \ MOZILLA/opus Added: head/audio/opus-tools/files/patch-src_audio-in.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/audio/opus-tools/files/patch-src_audio-in.c Thu Sep 10 19:46:30 2015 (r396600) @@ -0,0 +1,85 @@ +--- src/audio-in.c.orig 2014-02-26 00:55:47 UTC ++++ src/audio-in.c +@@ -42,6 +42,7 @@ + # define _FILE_OFFSET_BITS 64 + #endif + ++#include <limits.h> + #include <stdlib.h> + #include <stdio.h> + #include <string.h> +@@ -287,13 +288,14 @@ static int aiff_permute_matrix[6][6] = + int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen) + { + int aifc; /* AIFC or AIFF? */ +- unsigned int len; +- unsigned char *buffer; ++ unsigned int len, readlen; ++ unsigned char buffer[22]; + unsigned char buf2[8]; + int bigendian = 1; + aiff_fmt format; + aifffile *aiff; + int i; ++ long channels; + (void)buflen;/*unused*/ + + if(buf[11]=='C') +@@ -313,19 +315,25 @@ int aiff_open(FILE *in, oe_enc_opt *opt, + return 0; /* Weird common chunk */ + } + +- buffer = alloca(len); +- +- if(fread(buffer,1,len,in) < len) ++ readlen = len < sizeof(buffer) ? len : sizeof(buffer); ++ if(fread(buffer,1,readlen,in) < readlen || ++ (len > readlen && !seek_forward(in, len-readlen))) + { + fprintf(stderr, _("Warning: Unexpected EOF reading AIFF header\n")); + return 0; + } + +- format.channels = READ_U16_BE(buffer); ++ format.channels = channels = READ_U16_BE(buffer); + format.totalframes = READ_U32_BE(buffer+2); + format.samplesize = READ_U16_BE(buffer+6); + format.rate = (int)read_IEEE80(buffer+8); + ++ if(channels <= 0L || SHRT_MAX < channels) ++ { ++ fprintf(stderr, _("Warning: Unsupported count of channels in AIFF header\n")); ++ return 0; ++ } ++ + if(aifc) + { + if(len < 22) +@@ -442,6 +450,7 @@ int wav_open(FILE *in, oe_enc_opt *opt, + wav_fmt format; + wavfile *wav; + int i; ++ long channels; + (void)buflen;/*unused*/ + (void)oldbuf;/*unused*/ + +@@ -481,12 +490,18 @@ int wav_open(FILE *in, oe_enc_opt *opt, + } + + format.format = READ_U16_LE(buf); +- format.channels = READ_U16_LE(buf+2); ++ format.channels = channels = READ_U16_LE(buf+2); + format.samplerate = READ_U32_LE(buf+4); + format.bytespersec = READ_U32_LE(buf+8); + format.align = READ_U16_LE(buf+12); + format.samplesize = READ_U16_LE(buf+14); + ++ if(channels <= 0L || SHRT_MAX < channels) ++ { ++ fprintf(stderr, _("Warning: Unsupported count of channels in WAV header\n")); ++ return 0; ++ } ++ + if(format.format == -2) /* WAVE_FORMAT_EXTENSIBLE */ + { + if(len<40)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201509101946.t8AJkU1a062121>