Resolves: CVE-2015-6749 - oggenc: fix large alloca on bad AIFF input

This commit is contained in:
Kamil Dudka 2015-08-31 14:37:27 +02:00
parent 8725588599
commit a43b11da4a
2 changed files with 51 additions and 1 deletions

View File

@ -0,0 +1,43 @@
From 16d10a1c957425a49cf74332b99cf3d39e80cc09 Mon Sep 17 00:00:00 2001
From: Mark Harris <mark.hsj@gmail.com>
Date: Sun, 30 Aug 2015 05:54:46 -0700
Subject: [PATCH] oggenc: Fix large alloca on bad AIFF input
Fixes #2212
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
oggenc/audio.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/oggenc/audio.c b/oggenc/audio.c
index 1cbb214..547e826 100644
--- a/oggenc/audio.c
+++ b/oggenc/audio.c
@@ -246,8 +246,8 @@ static int aiff_permute_matrix[6][6] =
int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
{
int aifc; /* AIFC or AIFF? */
- unsigned int len;
- unsigned char *buffer;
+ unsigned int len, readlen;
+ unsigned char buffer[22];
unsigned char buf2[8];
aiff_fmt format;
aifffile *aiff = malloc(sizeof(aifffile));
@@ -271,9 +271,9 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
return 0; /* Weird common chunk */
}
- buffer = alloca(len);
-
- if(fread(buffer,1,len,in) < len)
+ readlen = len < sizeof(buffer) ? len : sizeof(buffer);
+ if(fread(buffer,1,readlen,in) < readlen ||
+ (len > readlen && !seek_forward(in, len-readlen)))
{
fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n"));
return 0;
--
2.4.6

View File

@ -1,7 +1,7 @@
Summary: The Vorbis General Audio Compression Codec tools Summary: The Vorbis General Audio Compression Codec tools
Name: vorbis-tools Name: vorbis-tools
Version: 1.4.0 Version: 1.4.0
Release: 21%{?dist} Release: 22%{?dist}
Epoch: 1 Epoch: 1
Group: Applications/Multimedia Group: Applications/Multimedia
License: GPLv2 License: GPLv2
@ -24,6 +24,9 @@ Patch4: vorbis-tools-1.4.0-bz1185558.patch
# validate count of channels in the header (CVE-2014-9638 and CVE-2014-9639) # validate count of channels in the header (CVE-2014-9638 and CVE-2014-9639)
Patch5: vorbis-tools-1.4.0-CVE-2014-9638-CVE-2014-9639.patch Patch5: vorbis-tools-1.4.0-CVE-2014-9638-CVE-2014-9639.patch
# oggenc: fix large alloca on bad AIFF input (CVE-2015-6749)
Patch6: vorbis-tools-1.4.0-CVE-2015-6749.patch
BuildRequires: flac-devel BuildRequires: flac-devel
BuildRequires: gettext BuildRequires: gettext
BuildRequires: libao-devel BuildRequires: libao-devel
@ -50,6 +53,7 @@ comment editor.
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1 %patch5 -p1
%patch6 -p1
%build %build
@ -77,6 +81,9 @@ rm -rf $RPM_BUILD_ROOT%{_docdir}/%{name}*
%changelog %changelog
* Mon Aug 31 2015 Kamil Dudka <kdudka@redhat.com> - 1:1.4.0-22
- oggenc: fix large alloca on bad AIFF input (CVE-2015-6749)
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.4.0-21 * Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.4.0-21
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild